Thursday, October 30, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Briefing - October 30th [Liquidmatrix Security Digest]

Posted: 30 Oct 2008 06:47 AM CDT



I’m sensing a shift within, a return to health. I shan’t speak too much of it, lest I jinx myself.
I hope your Thursday is great!

The Intern

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. On Being Informative, or Seeing Through the Fog - Thanks Alex.
  2. Schneier sticks it to surveillance - The Register Inglorious five-year snoop-plan
  3. Please Help Me: I Need a QSA To Assess PCI/DSS Compliance In the Cloud… - Rational Survivability Chris Hoff asks for assistance, do you have what he needs?
  4. Web security firm warns of obfuscated code - Security Focus
  5. DHS cybersecurity boss fights back against critics - The Register “Cybersecurity boss”, wonder if that’s on his business card.
  6. Would you like a loan with that copier? - The Globe and Mail
  7. And a few from the lighter side:

  8. NetFlix: Netflix Teams Up With TiVo the Way We Want - Gizmodo I may never leave the house again.
  9. Cars: Hidden Batcave Raises From the Underground to Reveal Shiny Lamborghinis - Gizmodo Learning the business is loads of fun, but deep down, I really want to be a Superhero.

Tags: , , , ,

GET VPN notes [Francois Ropert weblog]

Posted: 30 Oct 2008 06:18 AM CDT

Here are my notes about GET VPN technology. My lab consists of a backbone, 3KS and 3GM.

Cisco Secure Firewall Services Module (FWSM) Ciscopress book review [Francois Ropert weblog]

Posted: 30 Oct 2008 06:03 AM CDT

Cisco FWSM is the firewall module card which can be inserted into Catalyst 6500. Based on PIX algorithms and Finesse operating system, many concepts are similir to the one's you will find into PIX or ASA. The real added-value is that it's moduleable and can connected to a lot of other moduleable cards like CSM, ACE or MSFC.

Chinese E-card Blended Threat Malware [Commtouch Café]

Posted: 30 Oct 2008 03:19 AM CDT

In case you thought all the e-card malware was sent in English or Russian, of course other nations have their say as well. Here is an example of a recent outbreak of Chinese e-card messages that Arik from the spam analysis team shared with me. This is considered a “blended threat,” that is an email [...]

Tips for getting started in information security [Kees Leune]

Posted: 29 Oct 2008 08:58 PM CDT

I regularly get questions of students who expect to graduate soon asking what they need to do to get started in the information security field. Unfortunately, I cannot give a straight unambiguous answer to that. What I can do is start a thought process for that student. In the end, they will have to do the work.
Become experienced
Get a job that sounds like it is relevant to security. It does not actually have to be dead-on, but when a potential employer reads your resume, she must feel some sort of connect. Unfortunately, most security jobs ask for experience, so that is exactly what you need to get.

Most likely, the easiest way to do so is to find a job for a large consultancy organization and make it clear to them that you are willing to work hard, travel when necessary, and add value to their organization. At the same time, don't let your employer ever doubt that you are going to become an information security specialist.

Information security professionals are service providers and you need to figure out if you want to become a consultant that comes in to do a job, or if you want to work for the organization that uses your services. Make up your mind if you want to become a product specialist. Early in your career, consulting is not a bad way to go, since that will expose you to different industries, different problems and different working cultures. 

Deciding if you want to work in a specific industry, or in a particular geographic area is also part of making the focus decisions. I know people who decided very early on that they wanted to work for a specific organization and they had their career plan centered around that goal. The same is true for geographical areas. If you decide that you want to work in the New York City, you will probably end up in the financial services industry or in fashion. If you are on Long Island, start learning about medical services. Other areas have similar industry focuses.

Think hard about the area in which you want to specialize and work towards that. Depending on the direction in which you want to move, you will need to spend just about every waking hour doing "stuff" with security.

If you chose your direction to be penetration testing, find a pentesting job. When you come home, start doing stuff in your own lab. If you want to become an incident responder, look in that area and start dabbling with forensics-type stuff on your own time. If you want to become an information security manager, try to get some leadership experience. If you want to become an application security specialist, start coding.

There is much discussion surrounding the actual value of a security certification, but the basic fact is that employers will look for something that can distinguish you from the rest. Not having a certification is definitely a distinguishing factor, but it may not be what you want.

When choosing your certifications, keep your specialization goals in mind. It is useless (and may even work against you) to pursue vendor-specific certifications if you want to do something with a broader scope. The opposite is also true-- striving to pursue a general certification when you want to be a niche specialist is also pointless.

Make yourself visible: become a member of security organizations and go to chapter meetings. Attend as many events as you can, even if they are not in your focus area. At worst, you will spend an afternoon thinking about why the topic is not relevant to you (also valuable), and at best you meet your next employer.

If there are no chapters, start one. If you can afford it, begin visiting security conventions and conferences, reading (and comment on) blogs, maybe even start your own blog, join dedicated chat rooms and online forums, jump on twitter, linkedin, etc. Set up your own web site; don't be afraid to oversell yourself, but never lie. As an information security professional, your personal reputation and credibility is everything. The information security field is young, highly dynamic and the good people in the field form a close community. Associate with the right people.

Finally, come up with a career plan. That plan will be perfect nor complete when you make it first, but continue to update it as your expectations of the future take on more concrete form. Write down that plan on paper (not just as a file on a computer-- paper is more convincing!)

No employer expects that you spend your entire working life with them, but job-hopping every few months will come back to bite you. It creates the impression that you are not reliable, because you are not going to be around long enough to invest in. Plan to stay in a position for at least a year.

November - We Remember Our Heroes [Infosecurity.US]

Posted: 29 Oct 2008 07:12 PM CDT

November (the month of Municipal, County, State, Territory and National Election Day,  US Veteran’s Day (11/11/2008), the birthday of the United States Marine Corps (11/10/2008) and lest we forget, Canadian Remembrance Day (11/11/2008) is a great month to reflect on the  Achievements of the Absolutely Outstanding Men and Women we all can call Heroes. Please Remember [...]

Decrypting RSA Europe [Got the NAC]

Posted: 29 Oct 2008 06:47 PM CDT

This week, I’m blogging from RSA Europe in London. The conference is dedicated to Alan Turing, the great British cryptographer and early computer scientist. The folks at Bletchley Park teamed with a local hobbyist to bring an Enigma machine and other cryptographic machines to the conference. I had a great time playing with the Enigma.
Steve fools around with an Enigma

Attendance at the show was down a bit from last year, probably due to the poor economy. Still, there was a good crowd for my talk on “NAC 2.0″ this morning. I explained how NAC systems are starting to integrate with other network security systems like IDS and DLP. This trend is really starting to accelerate now that IF-MAP has been released, providing a standard way for these integrations to happen.

One more note. The Bletchley Park folks are appealing for donations to help save their historic site, an important part of cryptography and information security. If you’d like to donate, visit their site at or stop by and see the machines for yourself. If you can’t make it to England, go to the U.S. National Cryptologic Museum in Maryland. They have a similarly amazing collection of spy gear albeit in a less historic setting.

Tags: , , , , , ,

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

DNS based GSLB demystified (part 3/3) [Francois Ropert weblog]

Posted: 29 Oct 2008 06:45 PM CDT

Active/Active topology should be considered. When taking a GSLB decision, any traditional method of load balancing are configurable: WRR (Weighted Round Robin), Least connections, Least bandwidth, Least packets/s… as long as the GSLB entity can communicate with each GSLB site to get all the needed information…

NAC Panel Discussion: What is the state of NAC? []

Posted: 29 Oct 2008 06:07 PM CDT

This morning at work I moderated a panel discussion on Network Access Control. The audience was made up of IT Security staff from several research and development organizations. There were representatives from 3 vendors in attendance as well. The audience represented a good cross section of NAC adopters. Some have had it for 2 years, some deploying this year while others had future or no plans to deploy NAC.

There was good audience participation so I only had to pull out 1 or 2 “canned” questions in the time allotted. I’ve tried to summarize the points and information that we learned from this exercise below. These are in no particular order.

1. No clear definition of NAC
One of the first questions from the audience was about barriers to NAC adoption. One of the vendors replied with the question “what does NAC mean to you?" This person wanted NAC to do machine based authentication with no posture assessment. The next speaker wanted user authentication and posture assessment. A third was looking for post-connect NAC, *cough* IPS *cough*. Yet another wanted machine based authentication followed by user authentication. There was also discussion of machine provisioning on the network based on an HR event. As we have heard before, the definition of NAC is a moving target.

2. Lack of executive buy-in kills
No big revelation here. Without proper senior management participation, understanding and approval almost any initiative will fail. What is interesting is the fact that within this group the challenge of selling NAC to upper management seemed to be more of a barrier to deployment than cost or complexity, the ones usually cited. My guess is that NAC may be an organizational or cultural challenge that is more common in “academic” environments where people may be used to doing what they want with less oversight. That is just a guess on my part. Cost was not mentioned once as an issue.

3. 802.1x is still a long way out for wired deployments
Most security professionals will agree that 802.1x authentication is the preferred enforcement mechanism for NAC. IP’s can be changed, MAC’s can be spoofed but digital certificates pose a formidable challenge to forge. All 3 vendors said that in their experience 90% of wireless NAC deployments use 802.1x. The reason cited was ease of configuration on the client side and general wider acceptance of the protocol. On the wired side that equation was reversed with only 10% deploying 802.1x. Supplicant issues and the prevalence of devices that may not be able to have a supplicant (printers, VOIP phones, etc.) were said to be big issues.

4. Support for non-Windows clients still developing
The majority of the audience organizations have significant numbers of non-Windows clients, specifically Mac’s. We get it. Windows is on 90 something percent of the enterprise desktops. That number is changing. More and more companies are offering choices on the desktop / laptop. The NAC vendors present had different levels of support for non-Windows. Some could do authentication only and some could do posture checking if the NAC device was in-line. Note to NAC vendors: Mac support is not a nice to have any more. Mac will have an ever increasing presence on the desktop. The NAC options should be the same for Windows and non-Windows. I do recognize that Linux is a little more of a challenge due to the variants and much further behind Mac in the desktop OS race.

Some of the other take-aways were:
Make sure you have an accurate inventory of network connected devices
Do not underestimate the increased help desk utilization
Automated remediation is not as common as self-remediation in deployments

Those were the ones worth mentioning. Let me know if any of these jump out at you.


Technorati Tags: ,

Palin effigy not a "hate crime" [An Information Security Place]

Posted: 29 Oct 2008 04:30 PM CDT

First off, let me say that I do not like political posts on security blogs.  I cannot tell people what not to post on their own blogs.  It is their business.  But I don’t have to like it, and I will say so. 

Having said that, this is a political post - though not in the sense that I am endorsing or criticizing any candidate.  It is about a political issue that really struck a nerve with me today, and I really can’t keep these thoughts to myself.  I am probably opening myself up to a flame war, and oh well if it happens.  So here goes.

Now, I have to state for the record that I disagree with hate crime laws for the most part because they politicize a lot of actions that are already a crime in the first place.  I just don’t think we need those laws because all it does is cause racial strife when the person simply needs to be punished for the crime.  I say all of that because of the story going around about the effigy of Sarah Palin being hanged in a Halloween display in West Hollywood, California (CA is not exactly a red state, so I guess it is not a big surprise - BTW, John McCain was also being burned in the display).  When I saw that this Halloween display did not meet the criteria of a hate crime, I had to start wondering what that definition is and what would have happened if that had been Barack Obama in that display. 

Granted, that is not a hugely original thought.  Every other comment on that story asked the same question (and a lot of freaks got out of control over it in their comments).  But seriously, if Barack Obama was being hanged in effigy, I seriously doubt the cops would not be saying that it "doesn’t rise to the level of hate crime".

There would be outrage by everyone, including ME, because it would be overtly racist and motivated by hate.  But is hate inherently limited by the race of the individual it is propagated against?  For that matter, is hate drawn around racial lines only, and not by other factors?  Can’t hate be motivated by political differences, as this display is?  Can’t hate be motivated by a person who doesn’t like the color green and attacks his neighbor because he painted his house that color?  Do you see where I am going with this?

If we are going to define a crime along the lines of emotion and intent, then we HAVE to do so equally across the board, and that is where these types of laws fail.  They are defined by politics, and this country needs to get off it’s PC ass and start doing things from a more practical perspective.  I understand the issues around race and the problems we have had in this country.  I wasn’t around during the race riots, but I was raised in a small Southern town that still had scars from those days when I was growing up.  The racial lines are still very evident there.  But if we are going to keep bringing up this issue in this country and then ignore the fact that hate and racism (not synonymous terms)  can happen in both directions, then we are never going to progress beyond seeing people as colors first.

I have a dream that my four little children will one day live in a nation where they will not be judged by the color of their skin, but by the content of their character.

Martin Luther King Jr.


From Talking to Building [Anton Chuvakin Blog - "Security Warrior"]

Posted: 29 Oct 2008 03:52 PM CDT

Ah, the first week at a new place. An exciting time! Even though being in Kuala Lumpur would probable be even more exciting :-)

In any case,  excitement is a good cause for sharing  it. So, why am I excited? Is it only the "new-ness" of my position?

Not so.

I am most excited to be building again. That is building as opposed to talking. I loved being an evangelist and I think I did make the world love logs just a bit more. However, I happen to think that while speaking and writing leaves a scratch on the fabric of the Universe, building products that solve people's problems, that make people happy and that are  both affordable and enjoyable to use is leaving A BIGGER scratch.  As one old wizard said, it allows one to "strike sparks off the guard rail of the Universe!"

That is exactly why I am excited. What I do today will soon [hopefully!] translate into new products that people will enjoy to use (despite the fact that they are compliance-related :-)) and that will solve problems that cause "pain and suffering" on a grand scale.  (No, I am not saying what these are :-))

Having you define things THEN seeing them actually manifest in the real world THEN seeing people smile and say "Thanks!" is HUGELY exciting. Earning revenue in the process definitely doesn't hurt either :-)

BTW, now I read all this stuff about "security and clouds" and laugh (I can tell you later why it is so funny to me now)

ICANN Flips Switch on ESTDomains Registrar Accreditation [Infosecurity.US]

Posted: 29 Oct 2008 01:16 PM CDT

News, from Garth Bruen of KnujOn (and fellow supporting member of CastleCops):  ICANN has officially terminated ESTDomains, Inc. as an accredited registrar. A short excerpt from the notification, as well as Garth’s posting appears after the break. The ICANN Termination Notification To ESTDomains, Inc. is available for download (via the Infosecurity.US Public Document Repository). From [...]

Facebook, Worms and RSS Feeds - Hacking The Web2.0 Way and Beyond [GNUCITIZEN]

Posted: 29 Oct 2008 04:36 AM CDT

This morning I was reading an interesting article from Ryan Naraine (ZDNet Zero Day Blog) regarding a Facebook worm which uses RSS feeds and in particular Google Reader to strengthen its attack strategy. Interesting…

Web2.0 mosaic

If you have been following GNUCITIZEN’s research and in particular this blog, you know this is not a big news since I’ve been describing the numerous web2.0 attack strategies countless of times. Perhaps you remember my paper on hacking Web2.0? It sounds very similar to Ryan’s article, doesn’t it?

One year ago, at OWASP USA 2007 Summit, someone from the audience asked me when these (Web2.0 style) types of attacks will become mainstream. I said, that we are far ahead of the bad guys but we will gradually see web2.0 types of attacks happening more and more often in the near future. Well, now we see them happening for sure.

It is time for the security community stop being so ignorant and get out of its comfort zone for once. I know it is hard.

Web2.0 technologies are everywhere. I’ve seen them implemented in banks, large and small organizations, charity shops, the global Web. Even the security researchers, who once laughed at them proclaimed them for not important, are now using Twitter. Check out the Twitter security community. It is huge!

Web2.0 is Everywhere! And I’ve seen Web2.0 technologies fail far too often for my likings. The reason for this is because there aren’t that many people who can grasp the entire inter-communication nature of Web2.0. I am not saying that this is hard to learn. All I am saying is that not many people made the effort to learn how all components fit together.

Web2.0 security is not about xss, or sql injection or even any kind of injection attack. These are simply vulnerabilities. Web2.0 security is all about the loose inter-communication between components which you can trust and components that you cannot. And in today’s mashup-driven world, this is damn hard.

gnucitizen information security gigs part of the cutting-edge network:

recent posts from the gnucitizen cutting-edge network:

Facebook, Worms and RSS Feeds - Hacking The Web2.0 Way and Beyond
Wordpress Updates to 2.6.3
Smear of the Year
Surface - Hacking and Interactivity
Microsoft Help Malware
Netsecurify Screenshots
Inside Netsecurify
WP Blogsecurify 1.0
Funny Insights about the Financial Crisis
Script Kiddies

Links for 2008-10-28 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 29 Oct 2008 12:00 AM CDT

Identity Theft knows no age [Andy, ITGuy]

Posted: 28 Oct 2008 10:14 PM CDT

WOW! There has got to be a better way. My friend Mort has started a new blog with the Identity Protection company Debix. Today he has a post about a study that was done looking into identity theft and children. Yes, I said children. I'm talking people 17 years old and younger. I'm talking people who can't legally enter into a contract and therefore can't legally have credit. I'm talking boys and girls, little children, underage minors. I'm talking stupidity!

The numbers and statistics are frustrating and scary. They are also very irritating to me. Why? Because there is NO (repeat NO) reason for someone 17 or younger to have their identity stolen and to have credit opened in their name. As advanced as we are technologically there is no reason for this to happen. It's utterly ridiculous that we have let things get to the point where banks and other financial institutions have not put processes in place to verify the information required to get credit opened in your a name. Simple steps and checks could be put in place to verify whether or not the owner of a SSN is 5, 15 or 55 years old.

As irritating as the data is there is also some good tips that we all need to follow, especially for our kids. Check out the blog to learn lots of good things about protecting your, and your kids, identity.

Speaking tomorrow @ NCA conference [Napera Networks]

Posted: 28 Oct 2008 07:20 PM CDT

I’m speaking Wednesday at 2pm at NCA’s 2008 Security and Technology Conference at the Hyatt Regency in Bellevue. Tomorrow is the first public showing of a new presentation I’ve been working on for a few months, covering the TJX data breach that occurred over a three year period. I’ve spent hours reading the various reports and indictments in order to make some sense of what happened both during the hack and the aftermath, and to find out what IT managers can learn from the incident. Napera also has a booth at the conference and will be demonstrating our product. Drop by and say hello!

Reblog this post [with Zemanta]

XKCD: Secretary of The Internet Part Two [Infosecurity.US]

Posted: 28 Oct 2008 04:02 PM CDT

Securosis: 5 Stages Of Cloud Computing Grief [Infosecurity.US]

Posted: 28 Oct 2008 03:56 PM CDT

Like On-target, and often hilarious posts keep coming on the latest Cloud Computing hype. This time, from fellow SBN Member Rich Mogull at Securosis, and today’s MustRead. Here’s our take at Infosecurity.US: “Be Wary of Prophets, O Ovis, When Thou Hoists the Cup of Syndev Nirvana.* Especially Whilst Gazing Within Said Cup and Thou Beholdeth Seething Vaporous [...]

I left this one pass [Security Balance]

Posted: 28 Oct 2008 01:56 PM CDT

I was visiting Dan Kaminsky’s blog today and I noticed that he is creating a community council to help on the disclosure of big vulnerabilities like the one he found on DNS and others that followed, including that famous one on TCP that Robert E. Lee and Jack Louis are planning to disclose after vendors have issued their patches. This is a very good outcome of all these happenings from the last months.

With a council like that everybody who finds a vulnerability and thinks that it is critical enough to start a coordinated effort to fix it and disclose the details will have a safe place to go. Not only it will be full of people with enough knowledge to verify their claims and to make sure it is not something old or not-that-big, but it will also be a trusted part that won’t “steal” the credits for the discovery. If they manage to make its existence and their purposes known to the security research community the only reason for someone to go into a “partial disclosure” alone will be “flash fame”.

Another step towards a more mature security research community. Nice!

Update on Snort and ClamAV for ms08-067 [VRT]

Posted: 28 Oct 2008 01:43 PM CDT

There's been a lot of action on the MS08-067 front over the weekend, so we thought we'd bring you up to date on the bug in general, and how Snort and ClamAV are providing specific detection. Interestingly, things are rolling out about the way we expected them to. We happened to be visiting a Snort class here in Columbia to field some questions last Thursday, and one of the students asked about how long it takes to move from binary patching to a POC. Our answer was as little as two hours. As it turns out, one private research organization reported EIP a little over two hours after patching for MS08-67 was released. That patch window is getting pretty small.

Snort Update

Of course, when you're dealing with 0-day, the patch window is an invalid concept. The VRT just finished up working through the actual pre-patch attack worm. We're pretty pleased with the outcome of our testing. After doing some reverse engineering and writing a quick DLL loader, Alain Zidouemba and Lurene Grenier were able to trigger the original, 0day attack in a controlled environment. We were able to get a pcap of the attack, and here are the test results from an all-rules load of Snort against that pcap:

[0-Day attack]

122:3:0 (portscan) TCP Portsweep Alerts: 1
1:7218:8 NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt Alerts: 3
3:14809:1 NETBIOS SMB srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 3
1:7238:8 NETBIOS SMB srvsvc NetrPathCanonicalize little endian overflow attempt Alerts: 3
1:1394:8 SHELLCODE x86 NOOP Alerts: 42
122:1:0 (portscan) TCP Portscan Alerts: 5
3:14783:1 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 3

We're happy to see that our newly published rules: SID 14809 and SID 14783. But there are a couple of more important things to notice here. We see plenty of evidence of "bad", with 42 alerts from the x86 NOOP rule from SHELLCODE. This would certainly give a skilled analyst a shot of detecting the 0-day attack. But the most important alerts are SID 7218 and SID 7238. These are from our detection set for MS06-040, a vulnerability from the same function as MS08-067. Because the attackers chose to use the same string that provided the overflow to also deliver the payload, they tripped the overlly long string check in our MS06-040 detection. So customers who had protection enabled from either SID 1394 or SID 7238 and SID 7218 had 0-day protection from this attack.

After the release of the binary patch, it can take a while to make a reliable exploit, and it wasn't until this weekend that public exploits began to appear. The first PoC up on Milw0rm was interesting. From a quick look at the source code, and in looking at how it behaves against our sensors, we actually believe that this POC is triggering the ms06-040 vulnerability, as opposed to the MS08-067 one. The PoC was actually up on Thursday, 10/23, and the first Milw0rm remote entry didn't show up until the 26th. Here is the testing output from the PoC and the

[Milw0rm PoC]

3:14817:1 NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt Alerts: 1
1:1923:9 RPC portmap proxy attempt UDP Alerts: 2
1:7224:8 NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt Alerts: 1
3:14783:1 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 1

[Milw0rm Remote]

3:14817:1 NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt Alerts: 1
1:7209:8 NETBIOS SMB srvsvc NetrPathCanonicalize unicode little endian overflow attempt Alerts: 1
3:14783:1 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 1

Again, we detect both on the MS06-040 rules and our newly provided MS08-067 rules. Because the attackers chose to put payload in the same string as the attack, they trigger the overflow check in our prior MS06-040 rules. This won't always be the case, as payload can be placed outside the stub, but we would still alert on the "path cononicalization stack overflow attempt" rules.

We've also verified coverage against Core Security Technologies' Core Impact module that exploits this vulnerability. Not surprisingly, this was a reliable attack mechanism against machines that are shown by Microsoft's documentation to be vulnerable to this attack. Again, it triggers prior coverage on our MS06-040 rules:

[Core Impact]

1:1390:6 SHELLCODE x86 inc ebx NOOP Alerts: 2
3:14809:1 NETBIOS SMB srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 2
1:7235:8 NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt Alerts: 2
1:1923:9 RPC portmap proxy attempt UDP Alerts: 10
1:648:9 SHELLCODE x86 NOOP Alerts: 2
3:14783:1 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 2

Because this is a well formed attack, we see a couple of additional things in this detection. The RPC portmap alert is triggered as the attack determines the attack vectors available to it. We also see indications of NOP sleds through SID 1390 and SID 648. Depending on how the attacker chooses to lay out the attack, NOP sleds can be an important component of attack detection, particularly in 0-day cases. I would strongly recommend that you leave active as many SHELLCODE rules as you can, to give your analysts a chance in 0-day cases. In this case though, we have solid detection, both in the form of SID 7235, our MS06-040 detection, and our MS08-67 specific set of detection.

Finally, we just finished up coverage testing for HD Moore's ms08-067 module for Metasploit. There is a lot of interesting things going on here, which we'll be covering in an upcoming white paper release. But for now, here is the Snort detection output:


3:14793:1 NETBIOS SMB srvsvc NetrpPathCononicalize WriteAndX little endian path cononicalization stack overflow attempt Alerts: 1
1:7250:8 NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt Alerts: 2
3:14783:1 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt Alerts: 1

Again...ms06-040 coverage plus our update coverage. Note the absence of other identifying traffic (shellcode, scanning, etc...) without targeted coverage, you would miss this attack.

As a final take away, notice that in three attacks, we have several different alerts. Because of the time Brian Caswell and the VRT have put towards handling a variety of NetBIOS attack vectors, Snort is able to provide broad, comprehensive detection for attacks. This leads to a larger number of rules to provide this coverage, so I strongly encourage you to upgrade to at least Snort 2.8.2, when we introduced the binary tree structure to the rule parsing process. This provides a significant performance increase to the large, but well formed for a binary tree, NetBIOS ruleset.

ClamAV Update (Courtesy of Alain Zidouemba)

A number of files by the name of n[x].exe (where [x] denotes a integer number) have been observed to be a payload as a result of the MS08-067 vulnerability. The Trojans are usually 388KB in size. Once executed, n[x] starts off by trying to ping the server A whois of this IP address reveals that the machine is on a Chinese domain.
n[x].exe then drops the file %SYSTEMROOT%\system32\wbem\sysmgr.dll on the hard drive and registers the service "System Maintenance Service" that points to sysmgr.dll.
The following registry keys are created as well:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\ParametersServicedll = %SystemDir%\wbem\sysmgr.dllServicemain = servicemainfunc

The file attempts to ping which is a computer part of the domain. The Trojan very likely pings to verify network connectivity. The assembly code for sysmgr.dll reveals that the Trojan then checks the registry for the presence of the following registry keys:

HKLM\Software\Microsoft\OneCare Protection

All these registry keys are related to prevalent desktop security solutions.

Upon receiving a reply to its PING packet from, the Trojan has the confirmation that it has access to the Internet and proceeds with trying to download more malware from, a server located in Japan. In fact, a HTTP GET request is sent to with the following request URI:


with value1 a function of the antivirus software installed on the host and value2 a function of the operating system.
The Trojan also sends a cookie named ac to the server along with the GET request. The cookie is contains AES encrypted data about the user. Here is an example of the type of data it attempts to capture:

Outlook Express credentials
Protected Storage credentials
MSN Passport.Net credentials

As a result of the GET request, %SystemDir%\ is downloaded to the infected machine. This .cab file contains the following files:


Upon the files being extracted from the .cab file, the batch file install.bat copies all the files that were contained in the .cab to the folder %SystemDir%\wbem.
WinbaseInst.exe is then run which creates another service called "Windows NT Baseline" that points to basesvc.dll. The following registry keys are created in conjunction with the service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BaseSvc\ParametersServicedll = %SystemDir%\wbem\ basesvc.dllServicemain = servicemainfunc

WinbaseInst.exe is thereafter deleted by install.bat.

We took a look at basesvc.dll in a disassembler. We recognized in the .text section of this PE file the following strings:

Our research on the vulnerability MS08-067 enables us to easily recognize this strings:

l 4b324fc8-1670-01d3-1278-5a47bf6ee188 is the Universally Unique Identifier, or UUID, that the vulnerable server service registers

l is the IP address for a computer belong to the company TransCanada Pipeline. It's on the domain

l 139 is the TCP port for Netbios Session Service. This is the port that is used to connect file shares

What we have here is an attempt by this piece of malware to exploit the computer at IP address by sending it malformed DCE-RPC requests and relying on the vulnerable server service that is registered with UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188. However, we were not seeing on the network traffic that showed that the routine above was actually called.
The export table for this .dll file show that the following 3 functions are exported:


Towards the end of the function ServiceMainFunc, a subroutine is invoked. This subroutine pauses the execution of the program for a long period of time. This is usually done to make reverse engineering difficult but also so that the Trojan will not attract attention immediately upon being executed.

Armed with these pieces of information, we edited this .dll file with a hex editor to change the sleep time to 1 ms and to change the target of this attack to an internal IP address. Finally, in order to call the desired function in basesvc.dll, we wrote a small loader. We ServiceMainFunc in our slightly modified .dll (we do not want to attack the computer system for TransCanada Pipeline) and the function seeked out potentially vulnerable Windows machines on our local network. Upon finding a vulnerable Windows machine, shellcode that is embedded in the Trojan is executed on the target machine. This shellcode instructs the newly compromised machine to contact IP address in order to a sample or a variant or Trojan.Gimmiv.

ClamAV detects these malcious files under the Trojan.Gimmiv (Trojan.Gimmiv-{1...7}) family.

It is worth nothing that none of the files associated with this Trojan are packed in any shape or form. Was this written by an inexperience coder or is this a deliberate taunt of the security community? The verdict is out on this one. Packing is a technique widely used by malware authors to prevent antimalware researchers from easily reversing malware binaries.

Survey Shows Disconnect On IT Policy [Articles by MIKE FRATTO]

Posted: 28 Oct 2008 11:26 AM CDT

Cisco follows up on its survey on data leakage, which I already wrote about, and an anaysis of policy effectiveness. There isn't too much surprising in the findings, but the results continue to highlight the need for sound security policy management ...

RI Linux Installfest - Winter Edition [PaulDotCom]

Posted: 28 Oct 2008 09:43 AM CDT

PaulDotCom Enterprises in conjunction with the SNENUG (Southern New England Network Users Group) is proud to present the second Linux Installfest for 2008. An installfest allows you bring in your old computers (or anything that will run Linux) and get help from others in the community with the installation and configuration. Got an old PC hanging around? Bring it by! Got a dusty old ipod or wireless router? Get help from Paul & Larry, authors of the WRT54G Hacking book!


Where: Care New England, Trowbridge Building, 10 Health Ln (or 455 Tollgate Rd for older GPSes) Warwick, RI (Right next to Kent Hospital), First floor rooms 102 & 103.

When: Saturday, December 6, 2008 (9:00AM - 4:00 PM)

Contact: Please email for questions or more information

Registration: Registration will be done at the door, so just show up!

Directions Here

We also need volunteers to assist people with installing Linux, so if you're already a Linux guru please come by to help. Internet access will be provided, however if your device requires a monitor please bring one (a small one if possible). PaulDotCom will be sponsoring the food and drink for the event. Below are some answers to some common questions:

* What about MythTV? - By popular request this year we will be attempting some installs of MythTV with Mythbuntu. Please check the website for supported tuners to bring with you. There is no cable television service available in the facility, but we will provide a "local feed" for testing.

* Do I need to bring my own installation media? - This depends, if you have a particular Linux distribution that you would like to install, please download it and burn it to CD beforehand. If you don't have a preference, we will have some installation media here and can even download and install it once you get here.

* Do I need to bring a monitor and keyboard? - If you are bringing a computer (and not a laptop or other device that does not require a monitor or keyboard) please bring your own monitor and keyboard. It is highly recommended that you bring an LCD monitor to save space. We will have a few spare monitors on hand.

* Will there be Internet access? - Yes, both wired and wireless Internet access will be available. Again, please try to download all of the neccessary software beforehand such that the network does not slow down due to multiple people trying to download Linux at once.

* I've never installed Linux before, will people be there to help me? - Yes, there will be several experienced Linux users in attendence to help you install Linux. They will stick with you throughout the day until the installation is completed.

* I am an experience Linux user, can I still attend? - Yes, please come by to help people install Linux, eat, drink, and be merry. This is a fun, social, event!

* I want to do an advanced Linux installation, can I bring an embedded device and get help installing Linux on it? - Yes, I will actually be bringing 3 devices to try to install Linux on, a 2nd generation iPod, a Routerboard 532a, and a Soekris net5501. I may be asking for help too!

CSI Discount Code [Andy, ITGuy]

Posted: 28 Oct 2008 08:17 AM CDT

Interested in attending CSI 2008 this year? Don't have the budget to pay full price? Well if you're interested in a 55% discount I can help you out. I have 2 discount codes that I can give if you are interested. Drop me a message and I'll get them to you.

No comments: