From Paul's Security Weekly
Jump to: navigation, search
ProXPN 186x46.jpg
The SANS Institute
Black Hills Information Security
Tenable Network Security
Pwnie Express

Episode Media


Special Guests: Lenny Zeltser, Mike Murr and Bojan Zdrnja - Masters of Malware

Lenny, Mike, and Bojan are the authors of SEC610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques a course that covers:

  • Configuring the laboratory environment
  • Assembling the analysis toolkit
  • Performing behavioral and code analysis
  • Bypassing authentication mechanisms
  • Reverse-engineering protected executables
  • Intercepting network connections
  • Patching compiled executables
  • Examining shellcode
  • Malware analysis shortcuts
  • Core code reversing concepts
  • Assembly language primer
  • Identifying assembly logic structures
  • Reversing seen in common malware categories
  • Working with PE headers
  • Handling DLL interactions and API hooking
  • Packer identification
  • Manual and automated unpacking
  • Bypassing code-defense mechanisms
  • Analyzing advanced browser malware

Stories of Interest

Same Site Scripting - [Paul] - W00t! More scripting attacks! This stems from people using A records such as "localhost IN A", which in turns makes things such as "localhost.foo.com" actually resolve. To attack it you have to be on the same UNIX system, and there are other attack vectors involving CUPS. Just fuel for my theory that this will be the year of scripting attacks.

"Drive-By Pharming" - [Paul] - I hate the phrase "drive-by pharming" because it does little to explain the attack, but some thing it sounds good in the press. Here, the attack uses a 2wire cable modem deployed in mexico to add static host mappings. We covered this some time ago, on the podcast and in my keynote. Its not really new, but still a dangerous attack! Who checks the DNS settins on their router anyway? I'd say that your best bet is to statically assign your DNS servers to opendns to avoid the problem, somwhat... OOOH, and can't someone make a plugin for firefox that alerts us if the IMG tag contains a link to an RFC1918 address?

Cool mDNS stuff from GNUCitizen - [Paul] - Some neat tools were released that allow for mDNS enumeration. The nessus plugin does a good job, but I always wanted more control and flexibility. Some python libraries have been deveoped and I am currently testing them. mDNS is like upnp, a service that is typically included on embedded stuff (and in this case apple iTunes/OS X) that have no security and allows you to do fun things, like enumerate all of the devices via a single multicast packet. More to come, stay tuned...

Speaking on GNUCITIZEN we now have call jacking - [Paul] - This attack uses the authentication bypass vulnerability in BT's home hub (still not patched) and makes it appear as though the victim is receiving a call! So clicking on a link makes an outgoing connection, however the request causes the phone to appear like its ringing from an outside line. Now thats a fierce, fast, phishing attack!

Hackers Blamed For Power Outage - [Paul] - I wonder if they used Nmap and an SSH exploit? So, looks like attackers, from the Internet, were able to disrupt some power grid action. "¿In at least one case, the disruption caused a power outage affecting multiple cities,¿ Donahue said in a statement. ¿We do not know who executed these attacks or why, but all involved intrusions through the Internet.¿" Yikes! Not to mention they came from another country, but yet how do you know that if you don't know who did it? Something's fishy...

Myspace Vuln results - [Larry] - A researcher used a vulnerability in myspace to view pictures marked as private, overriding the protections by accessing the private profiles and then the images...he used scripting to retrieve the photos from 44,000 profiles (567,000 images totaling over 17 Gig) over a 94 hour period. Those files are now available via Torrent (which I'd love to see seeded...). Two issues here: Myspace took some time to fix the hole (which was allegedly the same day it was reported) - but as a result, images from individuals under 16 are always marked as private to keep out pedophiles - and guess what this revealed. The other issue is, never put ANYTHING online that you don't want archived for eternity. I think a lot of people miss that, and it comes up time and time again with social networking sites.

Unshredding Documents - [Larry] - German scientists are using software to reconstruct shredded Stasi documents. Think shredding isn't enough? the type of documents here contained several different shredding methods, paper types, and typefaces, and likely this will take LOTS of time and resources (computer and financial) to accomplish. This is certainly beyond the scope of most attackers, even the determined ones.

Packet Analytics - [Larry] - A new company associated with the Los Alamos National Laboratory. Their software claims to be able to churn through mountains of netflow, and other security related information (IDS logs, firewall logs and so on), and can analyze them for breaches. Now, take this with a grain of salt - LANL has a history of accidentally disclosing nuclear secrets, and if I recall, was the home of hacking Fred Durst. That being said, I think that this should investigated as just ONE tool in your arsenal.

Going to meetings... - [Larry] - A successful physical assessment leads to access. When asked to come to a follow up meeting, the client intentionally did not provide access contact info, and asked the tester to get in on their own.

http://go.theregister.com/feed/www.theregister.co.uk/2008/01/22/hp_virtual_rooms_security_bug/ HP Virtual Rooms] - [Larry] - Attend a virtual meeting, and get pwned due to this ActiveX bug. I wanted to bring this up as another vector to some google calendar hacking - search for these public meetings, attend "anonymously" and let pwnage ensue.

VOIP Ownage with BT - [Larry] Oooh, paul, this must be the next best thing to chocolate (read as sex). GNUCitizen talks about vulnerabilities in the BT Home Hub (embedded device) that can allow for VOIP (!) calls to be hijacked, listened to, spoofed and possiblt mis-directed. BT claims to have fixed the issue, but instead of fixing it, they just disabled remote assistance. The attack is possible via an authentication bypass and SeaSurf.

Preventing laptop theft - [Larry] - Obviously, you will want to practice defense in depth, but what about preventing the exposure to begin with? How about:

Inventory management - record and register the serial numbers Laptop "Lo-jack" - Software that phones home Education! - put the laptop in the trunk, or carry it with you Cable locks - I go to so many training classes, where I see rooms full of security professionals leaving their laptops unattended while retrieving tasty snacks. A laptop alarm - but will it be like a car alarm that noone pays attention to?

Other Stories

Listener Submitted Stories

Beer Bread is Great - [Paul]

Bratwurst in beer is not bad either! - [iamnowonmai]