Unsigned Code Execution in Windows Vista

Nitin Kumar and Vipin Kumar are about to present the Vbootkit at the upcoming Blackhat and HITB cons :

"We have been recently researching on Vista. Meanwhile, our research for fun lead us to some important findings. Vista is still vulnerable to unsigned code execution.vbootkit is the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is a kit which lets you doctor boot process).vbootkit concept presents how to insert arbitrary code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only digitally signed code to be loaded into kernel. The presented attack works using the custom boot sectors.Custom boot sector are modified boot sectors which hook booting process of the system & thus, gains control of the system. Meanwhile, the OS continues to boot and goes on with normal execution."

Vulnerabilities are an inevitable commodity, they will always appear and instead of counting them on an OS or software basis, consider a vendor's response time while following the life of the security threat. I never actually liked the idea of an insecure OS, to me there're well configured and badly configured OSs in respect to security, but then again if you're a monocultural target the way Microsoft is, you'll always be in the zero day spotlight. A security breach will sooner or later hit your organization, don't talk, act and pretend you're 100% secure because you cannot be. Instead a little bit of proactive measures balanced with contingency planning to minimize the impact is what should get a high priority in your strategy. Here's a related post.

Cartoon courtesy of Userfriendly.org

A Fortune 500 Blogosphere? Not Yet

Enterprise 2.0 is slowly gaining grounds and you cannot deny it despite top management's neutral position on yet another major "Reengineering of the Corporation". Supply chain management was perhaps among the first departments to really utilize the power of real-time information, and interoperable data standarts -- a mashup-ed ecosystem -- but improving your employees productivity through Web 2.0 tools such as intranet blogs and wikis remains just as unpopular as actual Fortune 500 companies blogging? But how come? Lack of evangelists? Not at all. There's one minor obstacle, you cannot teach an old dog new tricks, unless of course you dedicate extra investments into training him, which is exactly what I feel is happening at the corporate stage - everyone's patiently waiting for the concepts to mature before training and implementation happen for real. What's the current attitude towards external Web 2.0 activities? A Fortune 500 blogosphere isn't emerging as fast as the mainstream one is according to the Fortune 500 Business Blogging Wiki :

"a directory of Fortune 500 companies that have business blogs, defined as: active public blogs by company employees about the company and/or its products. According to our research, 40 (8%) of the Fortune 500 are blogging as of 10/05/06. The navigation sidebar to the right lists all the Fortune 500 companies. The list below are the ones that we've found so far that have public blogs as defined above. Please help us by entering data on those we've missed. ONLY Fortune 500 companies, please. If you're not sure if it's on the F500 list (it includes US companies only), check the sidebar. If it's not there, consider adding it to the Global 1,000 Business Blogging page instead."

I think the main reason behind this are the inevitable channel conflicts that will arise from let's say Pfizer's blogging compared to using the services of their traditional advertising and PR agencies -- I also imagine a links density analysis of their blog indicating the highest % of links pointing to Erowid.org. But ask yourself the following, what if these very same agencies start offering bloggers-for-hire in their portfolio of services, would the big guys get interested then? Or when will they start understanding the ROI of blogging?

Video on Analyzing and Removing Rootkits

Courtesy of WatchGuard part three of their malware analysis series walks you through various commercial and free utilities for detecting and removing rootkits :

"In this episode, Corey and his Magic White Board show how kernel mode rootkits work. Also covered: recommended tools and techniques for detecting and removing rootkits."

Jihadists Using Kaspersky Anti Virus

I wonder what are the low lifes actually protecting themselves from? Malware attacks in principle, or preparing to prevent a malware infection courtesy of an unamed law enforcement agency given their interest in coding malware :

"German police officials have expressed interest in developing software tools to help them surveil computer users who may be involved in crime. The tools might include types of software similar to those used in online fraud and theft schemes, such as programs that record keystrokes, logins and passwords. Security companies, however, are asserting that they wouldn't make exceptions to their software to accommodate, for example, Trojan horse programs planted by law enforcement on users' computers."

This is a very contradictive development that deserves to be much more actively debated around the industry than it is for the time being. Law enforcement agensies and intelligence agencies have always been interested in zero day vulnerabilities and firmware infections, thus gaining a competitive advantage in the silent war. Among the most famous speculations of an intelligence agency using malicious code for offensive purposes is the infamous CIA infection/logicbomb of Russian gas pipeline :

"While there were no physical casualties from the pipeline explosion, there was significant damage to the Soviet economy. Its ultimate bankruptcy, not a bloody battle or nuclear exchange, is what brought the Cold War to an end. In time the Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the operation. The faulty software was slipped to the Russians after an agent recruited by the French and dubbed "Farewell" provided a shopping list of Soviet priorities, which focused on stealing Western technology."

Excluding the spy thriller motives, nothing's impossible the impossible just takes a little while, and the same goes for SCADA devices vulnerabilities and on purposely shipping buggy software. Anti virus vendors will get even more pressure trying to protect their customers from not only the malware released by malware authors, but also from the one courtesy of law enforcement agencies. Cyber warfare is here to stay, no doubt about it, but using malware to monitor suspects will perhaps prompt them to keep an eye on the last time their AV software got updated, and still keep pushing the update button in between.

ASCII Art Spam

A spammer's biggest trade off - making it through anti-spam filters doesn't mean the email receipt will even get the slightest chance of understanding what he's about to get scammed with.

"We have seen SPAM using ASCII ART in order to avoid being detected by antispam filters. Most of the times, they try to show different words (Viagra, etc.) using this technique, but this is the first time I have seen them showing a picture. It is not a very high quality one, but I’ve tried it with some different antispam filters and they have been fooled."

Here's an old school ASCII generator you can play around with, and a related image from a previous post on overperforming spammers.

The Underground Economy's Supply of Goods

Symantec (SYMC) just released their latest Internet Security Threat Report, a 104 pages of rich on graphs observations, according to the data streaming from their sensor network :

"Volume XI includes a new category: “Underground Economy Servers”. These are used by criminals and criminal organizations to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists. To reduce facilitating identity theft, organizations should take steps to protect data stored on or transmitted over their computers. It is critical to develop and implement encryption to ensure that any sensitive data is protected from unauthorized access."

In between their coverage on various segments such as vulnerabilities, phishing, spam, and yes malware despite that I'm having my doubts on SMTP as the major propagation vector on a worldwide scale, I came across to a nice figure summarizing their encouterings while browsing around various forums and web sites.

The question is - why are these underground goods cheaper than a Kids' menu at McDonalds as I've once pointed out at O'Reilly's Radar post on spamonomics? Because in 2007 we can easily speak of "malicious economies of scale" thus, profit margin gains despite the ongoing zero day vulnerabilities cash bubble at certain forums, doesn't seem to be that very important. So can we therefore conclude that greed isn't the ultimate driving force, but trying to get rid of the stolen information in the fastest way possible in between taking into consideration its dissapearing exclusiveness with each and every minute? The principle goes that a dollar earned today is worth more than a dollar earned tomorrow, but how come? Simple, by tomorrow the exclusiveness of your goods might by just gone, because the affected parties detected the leaks and took actions to prevent the damage.

Issues to keep in mind regarding the graph:
- Harvested spam databases have been circulating around for years and so turned into a commodity, for instance, I often come across geographically segmented databases or per email provider segmented ones, not for sale, but for free. So how come the "good" is offered for free? It's obviously fine for the "good" to be offered for free when there's a charge for service, the service of verifying the validity of the emails, the service of encoding the message in a way to bypass anti spam filters, and the service of actually sending the messages

- Where's the deal of a malicious party when selling an online banking account with a $9,900 balance for just $300? For me, it's a simple process of risk-forwarding to a party that is actually capable of getting hold of the cash

- Yahoo and Hotmail email cookies per piece? Next it will be an infected party's clickstream for sale, and you'll have the malicious parties competing with major ISPs who are obviously selling yours for the time being.

- Compromised computers per piece? Not exactly. Entire botnets or the utilization of the possible services offered on demand for a price that's slightly a bit higher than the one pointed out here.

Psychological imagation is just as important as playing a devil's advocate to come up with scenario building tactics in order to protect your customers and yourself from tomorrow's threats.

Related images:
- surveying potential buyers of zero day vulnerabilities in order to apply marginal thinking in their proposition
- advertisement for selling zero day vulnerabilities
- listing of available exploits
- zero day vulnerabilities shop, I'm certain it's a PHP module that's currently hosted somewhere else
- the WebAttacker toolkit
- The RootLauncher
- The Nuclear Grabber and geolocated infections-- site dissapeared already