Detecting intruders and where to look for

February 15, 2006
CERT, just released their "Windows Intruder Detection Checklist" from the article :

"This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses."

I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section given the topic. It does provide links to free tools, but I feel they could have extended to topic a little bit. Overall, consider going through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".

Rootkits are gaining popularity, and with a reason -- it takes more efforts to infect new victims instead of keeping the current ones, at least from the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut on October 26, 2003, but wasn't detected until July 20, 2005, enough for auditing, detecting attackers and forensics? Well, not exactly, still something else worth mentioning is the interaction between auditing, rootkits and forensics. There's also been another reported event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs, but DVDs this time, so it's not enough that malware authors are utilizing the rootkit concept, but flawed approaches from companies where we purchase our CDs and DVDs from, are resulting in more threats to deal with!

Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :

Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit

Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers

Technorati tags:
, , , , , Continue reading →

Look who's gonna cash for evaluating the maliciousness of the Web?

February 14, 2006
Two days ago, SecurityFocus ran an article "Startup tries to spin a safer Web" introducing SiteAdvisor :

"A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the Web with hundreds, and soon thousands, of virtual computers that detect which Web sites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.

The goal is to create a service that lets the average Internet user know what a Web site actually does with any information collected or what a download will do to a computer, Tom Pinckney, vice president of engineering and co-founder of the start-up SiteAdvisor, said during a presentation at the CodeCon conference here."

The concept is simply amazing, and while it's been around for ages, it stills needs more acceptance from decision makers that tend to stereotype on perimeter and antivirus defense only. Let's start from the basics, it is my opinion that users do more surfing than downloading, that is, the Web and its insecurities represent a greater threat than users receiving malware in their mailboxes or IMs. And not that they don't receive any, but I see a major shift towards URL droppers, and while defacement groups are more than willing to share these with phishers etc., a URL dropper is easily getting replaced by an IP one, so you end up having infected PCs infecting others through hosting and distributing the malware, so sneaky, isn't it? My point is that initiatives such as crawling the web for malicious sites, listing, categorizing and updating their status is a great, both security, and business sound opportunity. The way you know the bad neighbourhoods around your town, in that very same way you need a visualization to assist in research, or act as a security measure, and while its hard to map the Web and keep it up to date, I find the idea great!

So what is SiteAdvisor up to? Another build-to-flip startup? I doubt so as I can almost feel the smell of quality entrepreneurship from MIT's graduates, of course, given they assign a CEO with business background :) APIs, plugins, already tested the majority of popular sites according to them, and it's for free, at least to the average Internet user who's virtual "word of mouth" will help this project get the scale and popularity necessary to see it licensed and included within current security solutions. They simply cannot test the entire Web, and I feel the shouldn't even set it as an objective, instead map the most trafficked web sites or do so on-the-fly with the top 20 results from Google. I wonder how are downloads tested, are they run through VirusTotal for instance, and how significant could a "push" approach from the end users, thus submitting direct links to malicious files found within to domain for automatic analysis, sound in here?

I think the usefulness of their idea could only be achieved with the cooperation/acquisition of a leading search engine, my point is that some of the project's downsizes are the lack of on-the-fly ability(that would be like v2.0 and a major breakthrough in respect to performance), how it's lacking the resources to catch up with Google on the known web (25,270,000,000 according to them recently), how IP droppers instead of URL based ones totally ruin the idea in real-life situations(it takes more efforts to register and maintain a domain, compared to using a zombie host's capabilities to do the same, doesn't it?)

In one of my previous posts on why you should aim higher than antivirus signatures protection only I mentioned some of my ideas on "Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"?

Crawling for malicious content and making sense of the approaches used in order to provide an effective solutions is very exciting topic. As a matter of fact in one of my previous posts "What search engines know, or may find about us?" I mentioned about the existence of a project to mine the Web for terrorist sites dating back to 2001. And I'm curious on its progress in respect to the current threat of Cyberterrorism, I feel both, crawling for malicious content and terrorist propaganda have a lot in common. Find the bad neighbourhoods, and have your spiders do whatever you instruct them to do, but I still feel quality and in-depth overview would inevitably be sacrificed for automation.

What do you think is its potential of web crawling for malicious content, and by malicious I also include harmful in respect to Cyberterrorism PSYOPS (I once came across a comic PSYOPS worth reading!) techniques that I come across on a daily basis? Feel free to test any site you want, or browse through their catalogue as well.

You can also find more info on the topic, and alternative crawling solutions, projects and Cyberterrorism activities online here :

A Crawler-based Study of Spyware on the Web
Covert Crawling: A Wolf Among Lambs
IP cloaking and competitive intelligence/disinformation
Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser Vulnerabilities
The Strider HoneyMonkey Project
STRIDER : A Black-box, State-based Approach to Change and Configuration Management and Support
Webroot's Phileas Malware Crawler
Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel des AGN-Malware Crawlers (in German)

Jihad Online : Islamic Terrorists and the Internet
Right-wing Extremism on the Internet
Terrorist web sites courtesy of the SITE Institute
The HATE Directory November 2005 update (very rich content!)
Recruitment by Extremist Groups on the Internet

Technorati tags:
, , , , ,
Continue reading →

Recent Malware developments

February 13, 2006
In some of my February's streams :) "The War against botnets and DDoS attacks" and "CME - 24 aka Nyxem, and who's infected?" I covered some of the recent events related to malware trends in the first months of 2006. This is perhaps the perfect time to say a big thanks to everyone who's been expressing ideas, remarks and thoughts on my malware research. While conducting the reseach itself I realized that I simply cannot include everything I want it, as I didn't wanted to release a book to have its content outdated in less than an year, but a "stick to the big picture" representation of the things to come. The best part is that while keeping daily track of the trends and trying to compile a summary to be released at the end of the year, many more concepts that I didn't include come to my mind, so I feel I'll have enough material for a quality summary and justification of my statements. So what are some of the recent developments to keep in mind?

A lot of buzz on the CME-24 front, and I feel quite a lot of time was spent on speculating on the infected population out of a web counter whose results weren't that very accurate as originally though. And as vendors closely cooperated to build awareness on the destructive payload, I think that's the first victory for 2006, no windows of opportunity The best is that CAIDA patiently waited until the buzz is over to actually come up with reliable statistics on Nyxem.

It's rather quiet on the AV radars' from the way I see it, and quickly going through F-Secure's, Kaspersky's (seem to be busy analyzing code, great real-time stats!), Symantec's I came across the similarities you can feel for yourself in "the wild" :) Symantec's ThreatCon is normal, what's interesting to note is VirusTotal's flood of detected WMF's, which is perhaps a consequence of the *known* second vulnerability.

James Ancheta's case was perhaps the first known and so nicely documented on botnet power on demand. Recently, a botnet, or the participation in such shut down a hospital's network, more over I think StormPay didn't comply with a DDoS extortion attempt during the weekend?

Joanna Rutkowska provided more insights on stealth malware in her research (slides, demo) about "about new generation of stealth malware, so called Stealth by Design (SbD) malware, which doesn't use any of the classic rootkit technology tricks, but still offers full stealth. The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems – I call it Memory Reading Problem (MRP). "

How sound is the possibility of malware heading towards the BIOS anyway? An "Intelligent P2P worm's activity" that I just across to also deserves to be mentioned, the concept is great, still the authors have to figure out how to come up with legitimate file sizes for multimedia files if they really want to fake its existence, what do you think on this?

Some recent research and articles worth mentioning are, Kaspersky's Malware - Evolution : October - December 2005 outlines the possibilities for cryptoviral extortion attacks, 0days vulnerabilities, and how the WMF bug got purchased/sold for $4000. There's also been quite a lot of new trojans analyzed by third-party researchers, and among the many recent articles that made me an impression are "Malicious Malware: attacking the attackers, part 1" and part 2, from the article :

"This article explores measures to attack those malicious attackers who seek to harm our legitimate systems. The proactive use of exploits and bot networks that fight other bot networks, along with social engineering and attacker techniques are all discussed in an ethical manner."

Internet worms and IPv6 has nice points, still I wish there were only network based worms to bother about. Besides all I've missed important concepts in various commentaries, did you? Malware is still vulnerabilities/social engineering attacks split at least for the last several months, still the increased corporate and home IM usage will inevitable lead to many more security threats to worry about. Web platform worms such as MySpace and Google's AdSense Trojan, are slowly gaining grounds as a Web 2.0 concept, so virus or IDS signatures are to look for, try both!

During January, David Aitel reopened the subject of beneficial worms out of Vesselin Bontchev's research on "good worms". While I have my reservations on such a concept that would have to do with patching mostly the way I see it, could exploiting a vulnerability in a piece of malware by considered useful some day, or could a network mapping worm launched in the wild act as an early response system on mapped targets that could end up in a malware's "hitlist"? And I also think the alternative to such an approach going beyond the network level is Johnny Long's (recent chat with him) Google Dorks Hacking Database, you won't need to try to map the unlimited IPv6 address space looking for preys. Someone will either do the job for you, or with the time, transparancy in IPv6, one necessary for segmented and targeted attacks will be achieved as well.

Several days ago, Kaspersky released their summary for 2005, nothing ground breaking in here compared to previous research on how the WMF vulnerability was purchased/sold for $4000 :) but still, it's a very comprehensive and in-depth summary of 2005 in respect to the variables of a malware they keep track of. I recommend you to go through it. What made me an impression? 
- on average, 6368 malicious programs detected by month

- +272% Trojan-Downloaders 2005 vs 2004

- +212% Trojan-Dropper 2005 vs 2004

- +413% Rootkit 2005 vs 2004

- During 2005, on average 28 new rootkits a month

- IM worms 32 modifications per month

- IRC worms are on -31%

- P2P worms are on -43%, the best thing is that Kaspersky labs also shares my opinion on the reason for the decline, P2P busts and general prosecutions for file-sharing. What's also interesting is to mention is the recent ruling in a district court in Paris on the "legality of P2P" in France and the charge of 5 EUR per month for access to P2P, but for how long? :) P2P filesharing isn't illegal and if you cannot come up with a way to release your multimedia content online, don't bother doing at all. In previous chats I had with Eric Goldman, he also makes some very good points on the topic.

- +68% Exploit, that is software vulnerabilities and the use of exploits both known or 0day's with the idea to easily exploit targeted PC, though I'm expecting the actual percentage to be much higher

- Internet banking malware reached a record 402% growth rate by the end of 2005 The Trojan.Passwd is a very good example, it clearly indicates that it is written for financial gains. E-banking can indeed prove dangerous sometimes, and while I'm not being a paranoid in here, I'd would recommend you go through Candid's well written "Threats to Consider when doing E-banking" paper

- A modest growth from 22 programs per month in 2004 to 31 in 2005 on the Linux malware front

I feel today's malware scene is so vibrant that it's getting more and more complex to keep track of possible propagation vectors, ecosystem here and there, and mostly communicating what's going on to the general public(actually this one isn't). 
What's to come and what drives the current growth of malware?
- money!
- the commercialization of the market for software vulnerabilities, where we have the first underground purchase of the WMF exploit, so have software vulnerabilities always been the currency of trade in the security world or they've started getting the necessary attention recently?
- is stealth malware more than an issue compared to utilizing 0day vulnerabilities, and is retaining current zombie PCs a bigger priority than to infecting new ones?
- business competitors, enemies, unethical individuals are actively seeking for undetected pieces of malware coded especially for their needs, these definitely go beneath the sensors
- Ancheta's case is a clear indication of a working Ecosystem from my point of view, that goes as high as to provide after-sale services such as DDoS strength consultations and 0day malware on demand

To sum up, malware tends to look so sneaky when spreading and zoomed out :) I originally came across the VisualComplexity project in one of my previous posts on visualization. Feel I've missed something that's worth mentioning during the last two months? Than consider expanding the discussion!
You can also consider going through the following resources related to malware :
Continue reading →

Who needs nuclear weapons anymore?

February 09, 2006
Excluding Iran and the potential of its nuclear program (no country that bans music should have such a power!), perhaps I should rephrase - who can actually use them nowadays, are they just a statement of power, does flexibility and beneath the radar concepts matter? I feel they do.

I just came across a news article from January on a new EMP warhead test, and while there have been speculations/or movie plots that Electromagnetic Pulse Weapons could be used by terrorists, I find this a bit of exaggerated statement that actually seeks further investment in current development of the concept I guess. I feel that compared to symmetric warfare, asymmetric warfare as a concept has greatly evolved during the years, and in today's interconnected society, military powers could be easily balanced. What's else to mention is the "cooperation" between the parties on which I came across in a report on Nuclear Electromagnetic Pulse, as of June 9, 2005, namely :

 "If we really wanted to hurt you with no fear of retaliation, we would launch an SLBM,'' which if it was launched in a submarine at sea, we really would not know for certain where it came from. ``We would launch an SLBM, we would detonate a nuclear weapon high above your country, and we would shut down your power grid and your communications for 6 months or so.'' The third-ranking communist was there in the country. His name is Alexander Shurbanov, and he smiled and said, ``And if one weapon would not do it, we have some spares.'' I think the number of those spares now is something like 6,000 weapons." 

 "the Russians had developed weapons that produced 200 kilovolts per meter. Remember, the effects in Hawaii were judged to be the result of five kilovolts per meter. So this is a force about 200 times higher. The Russian generals said that they believed that to be several times higher than the hardening that we had provided for our military platforms that they could resist EMP."

 ``Chinese military writings described EMP as the key to victory and described scenarios where EMP is used against U.S. aircraft carriers in the conflict over Taiwan.'' So it is not like our potential enemies do not know that this exists. The Soviets had very wide experience with this, and there is a lot of information in the public domain relative to this. ``A survey of worldwide military and scientific literature sponsored by the commission,'' that is the commission that wrote this report, ``found widespread knowledge about EMP and its potential military utility including in Taiwan, Israel, Egypt, India, Pakistan, Iran, and North Korea."

Still there's hope for preserving the global state of security instead of fuelling its insecurity :
"In 2004, the EMP Commission met with very senior Russian officers, and we showed that on the sign. They warned that the knowledge and technology to develop what they called super EMP weapons had been transferred to North Korea and that North Korea could probably develop these weapons in the near future, within a few years. The Russian officers said that the threat that would be posed to global security by a North Korean armed with super EMP weapons was, in their view, and I am sure, Mr. Speaker, in your view and mine, unacceptable."  

Foreign views of Electromagnetic Pulse (EMP) Attack reveals further details on other nations' ambitions etc. Perhaps one of the most famous commitments towards EMP is the The Trestle Electromagnetic Pulse Simulator that can also be seen at Google Maps, still, in my opinion it's a defensive initiative for an offensive purpose :(

Extending the topic even further, The Space Warfare arms race has been an active policy of key world's leaders for decades, and that's not good. The U.S, Russia and China as the main players are fuelling the growth in one way or other due to believing in perhaps :

- that the other sides are actively developing such capabilities, and they are, because they think the opposite => arms race
- growing trend towards asymmetric warfare
- cost-effectiveness compared to building a multimillion nuclear submarine as a statement of power?
In my opinion space warfare would directly influence everyone down here on Earth, and scenarios such as :
- hijacking?
- destroying

could become normal. Space is already getting crowded, if I were to forget one of my favourite quotes "But I guess I'd say if it is just us... seems like an awful waste of space". On the other, and in respect to securing critical infrastructure on Earth :) I find recent initiatives such as the Cyber Storm exercise more PR, than relevance oriented, my point is that how come you expect to have the critical infrastructure secured, when a global overload in traffic would again deny service, a critical one. 

My point is that, the Internet as the most pervasive and cost effective tool is often utilized for sensitive both, commercial, government and military operations, attacking the Internet affects pretty much everyone. Excluding the overall shift towards network-centric warfare and you've got a problem given commercial and public IP networks are used to handle the enormous bandwidth needed for sensitive operations.

To sum up, go through the following War Quotes, and perhaps consider how major problems on Earth stop major innovations in Space. I feel War is not a solution, but an excuse that should never be said! I know this post tried to combine several different issues, but I think given IP is at the bottom line, my readers wouldn't mind :) What's your attitude on Space Warfare arms race? Is it real, and how do you picture the future developments in here?

More resources on Electromagnetic Pulse Weapons, Space Warfare and Network-Centric Warfare are also available at :
Continue reading →
Subscribe to: Comments (Atom)