Sharing the Tools, (Tue, Mar 30th)



In the malware analysis world, you have to have your tools that you feel most comfortable to use, otherwise, a task that could be

accomplished in 10 minutes would take hours.



But sometimes, finding the right tool for the task can be quite a challenge. This is one of the reasons that I decided to create a site,

called www.mysectools.com, where I am able to share some tools that were quite valuable on my day by day malware analysis tasks.



Now, I would like to comment on two tools that I was recently introduced.



The first one is not directly related to Malware Analysis (at least on the concept), since it is more a develpment tool. It is called

WinAPIOverride32 .

It is actually a package/suite with 3 different tools, but the one that I like most is the dumper.exe, because sometime you want more

than just a click and dump application. This one gives you the freedom to chose what/how you want to dump a module, for example.



The second one is an Anti-Rootkit tool, called XueTr , which honestly I didnt try

outside a controlled environment (vmware,etc...).
This is another quite powerful tool, which in some point reminds me IceSword which if you dont know, I would recommend to check.



Happy Malware Analysis!
----------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
www.mysectools.com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-018. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability - CVE-2010-0806.

MS10-018 - Critical: Cumulative Security Update for Internet Explorer (980182) - Version:1.0

Severity Rating: Critical - Revision Note: V1.0 (March 30, 2010): Bulletin published.Summary: This security update resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Security Bulletin Summary for March 2010

Revision Note: V2.0 (March 30, 2010): Added Microsoft Security Bulletin MS10-018, Cumulative Update for Internet Explorer (980182). Also added the bulletin webcast link for this out-of-band security bulletin.Summary: This bulletin summary lists security bulletins released for March 2010.

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-018. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability - CVE-2010-0806.

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-018. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability - CVE-2010-0806.

VMWare Security Advisories Out, (Tue, Mar 30th)


Yes, today is monday, but we can already call it a week of patches/advisories.
We already got the Apple advisories, we already know about MS OOB patch release tomorrow (March 30th), and today VMWarehas released the following new and updated securityadvisories:



New - VMSA-2010-0005

http://lists.vmware.com/pipermail/security-announce/2010/000086.html



Updated - VMSA-2009-0016.5

http://lists.vmware.com/pipermail/security-announce/2010/000087.html



Update - VMSA-2010-0002.1

http://lists.vmware.com/pipermail/security-announce/2010/000088.html
Enjoy! Today is monday!:)
------------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
http://www.mysectools.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Nmap 5.30BETA1 released, (Mon, Mar 29th)

Nmap 5.30BETA1 is out. Many new features, new NSE scripts, nping, some syntax changes, some bug fixes and more. Nmap is hands down one of my favourite tools and a must have for any technical information security professional. Much more information and downloads available as always at: http://nmap.org/
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Honeynet Project: 2010 Forensic Challenge #3, (Sun, Mar 28th)

If you like a good InfoSec puzzle the good people over at the Honeynet Project are at it again. They have just released Challenge #3 in their 2010 Forensic Challenge series.
This time they want you to analyze an image from a suspected infected workstation for a user who has discovered suspicious banking transactions. There is swag involved, and submission are due by April 18th.
Results of the previous two challenges are available from the Honeynet Project Challenges page.
Have fun!
-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Create a Summary of IP Addresses from PCAP Files using Unix Tools, (Sat, Mar 27th)

Every once in a while we collect large PCAP files for analysis. However, there are times when we are looking for a summary list of either source or destination addresses in those PCAP that were seen over a period of time in those files. The two examples shown here represent two suspicious ports that I noticed targeted this week and wanted to know the source IPs of this traffic.
First, if needed, we need to remove the IP or IPs we don't want to include in our summary. If we are going to reuse a PCAP filter several times, it is better to create a libpcap filter in a file and use tcpdump -F filter to use it. (tcpdump -nr file.pcap -F parsing_filter).


Breaking down the filter
In order to be able to manipulate the data to our advantage, we need to determine what we are looking for. With our two examples, we are going to find which source IP addresses sent a TCP SYN packet to our gateway IP 192.168.21.32 to port 465 and 2522 with the number of occurrence that happened in each of the PCAP files.
My complete traffic parsing looks like this:
guy@seeker$ tcpdump -ntr 2010032501 'dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 2522' | awk '{print $2}' | tr . ' ' | awk '{print $1.$2.$3.$4}' | sort | uniq -c | awk ' {print $2 \t $1 }'
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

XX.169.170.84 10
Breaking Down each Sections
- Part 1 is the tcpdump switches and we are using -n (don't resolve), -t (don't print date/time) and -r 2010032501 (file name to replay).
- Part 2 is the libpcap filter ('dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 2522') which filter all inbound TCP SYN packets (tcp[13] = 0x02) to our gateway (dst host 192.168.21.32) to TCP port 2522.
IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,nop,wscale 3,nop,nop,timestamp 895725079 0,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,nop,wscale 3,nop,nop,timestamp 895725088 0,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,nop,wscale 3,nop,nop,timestamp 895725098 0,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol

IP xx.169.170.84.50316 192.168.21.32.2522: S 2853915482:2853915482(0) win 65535 mss 1412,sackOK,eol


- Part 3 we add a pipe with awk (| awk '{print $2}') to print only the source IP from our tcpdump result. Field $2 (source IP) could be changed to $4 to use the destination address.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316

xx.169.170.84.50316


- Part 4 we add a pipe with tr (| tr . ' ') to change the period to a space so we can remove the source port (50316) in the next step.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316

xx 169 170 84 50316
- Part 5 we add a pipe with awk (| awk '{print $1.$2.$3.$4}') to reconstruct the source IP address(es).
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84
- Part 5 we add a pipe with sort ( | sort) to sort our traffic by IPs. In this case we only have one source.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84

xx.169.170.84
- Part 6 we add a pipe with uniq -c (| uniq -c) to count the number of times a source IP was see in the PCAP file.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
10 xx.169.170.84
- The last part is just for formatting purposes, we reverse the order of the last output and insert a tab (| awk ' {print $2 \t $1 }') to show the IPs in the first collumn and the number of time seen in the second.
reading from file 2010032501, link-type LINUX_SLL (Linux cooked)
xx.169.170.84 10

Another example with its results to destination port TCP 465.
guy@seeker$ tcpdump -ntr 2010032508 'dst host 192.168.21.32 and tcp[13] = 0x02 and dst port 465' | awk '{print $2}' | tr . ' ' | awk '{print $1.$2.$3.$4}' | sort | uniq -c | awk ' {print $2 \t $1 }'
reading from file 2010032508, link-type LINUX_SLL (Linux cooked)
XX.237.148.241 3

XXX.197.208.107 3

XXX.199.183.68 3

XXX.22.87.36 3
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

HP-UX Running NFS/ONCplus, Inadvertently Enabled NFS, (Sat, Mar 27th)

HP issued a security bulletin for HP-UX 11.31 (running NFS/ONCplus version B.11.31_08 or prior), where a remote user can access NFS shares on the target system if NFS/ONCplus is running, NFS maybe inadvertently enabled. The complete list of affected versions and resolution is available here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Intresser prendre SANS Sec 503 en franais?
Enregistre toi http://www.sans.org/nice-2010/pour leCommunit SANS Nice, France - du 21 au 26 juin 2010 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

SIFT2.0 SANS Investigative Forensics Toolkit released, (Fri, Mar 26th)

SANSFaculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation, which is also featured in the SANSFOR 508 course, in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools. The new version of SIFT was just releasedand is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination.More information on the SANS forensics curriculum and SIFT2.0 can be found onhttps://computer-forensics.sans.org/, respectively the download sectionon that page. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Zeus wants to do your taxes, (Thu, Mar 25th)

I've received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable.
It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but Ican't share the details yet. If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)
The email looks something like (thanks for sharing Michael!):


Subject: Underreported Income Notice
Taxpayer ID: recipient-00000198499136US
Tax Type: INCOME TAX

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

Internal Revenue Service

hxxp://www.irs.gov.assewyx.co.uk/fraud.applications/application/statement.php?

The download in this particular link was tax-statement.exe.
If you want to check out your own logs to catch this and similar attacks, I'd suggest looking for domains that look like www.irs.gov.stuff and downloaded executables with the word tax in them.
For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More Articles...

Page 10 of 26

10

Security News

Feed Source

Information mostly from: http://isc.sans.org

User Login



Login using Facebook Login Using Facebook