Saturday, March 24, 2012

CPE: McAfee AudioParasitic: Episode 19 Virtualization part 1/2


length:  00:21:03
Special guests: Rafal Wojtczuk and Rahul Kashyap.

A lot of people think about virtualization as a way to protect system..

Virtualization is also useful to analyze malware…

The question is this security compartment solid enough?
Can the barrier be broken? Allowing malware to spread from guess to host?

Vulnerability tin VM NAT  - parsing FTP protocol – b0f can execute arbitrary code in host not on guest!!

Some malware is actually VMware aware when running inside VM environment.

There have been a lot of talk that virtualization will provide security…
The idea was there is no need for security when system is put in virtualization is a myth!!!

Intel provide ring 0 hw access for hypervisor…

The separation concept is interesting
Gardner said in 2009 80% of virtual system will be more vulnerable than the physical counterpart

There is a mad rush to be the first – not really care about security
A lot of people rely too much on feature such snapshot as security option..
Because it is virtual it is more secure – is a myth!!!

Labels: ,

CPE: McAfee AudioParasitic: Episode 18: MS patches


length:  00:19:34

joined by Craig Schmugar

MS07-055: Kodak image Viewer – remote exec
No public info so far
Drive by capability

MS07-056 Outlook express
Malformed NNTP – event using full outlook there is a risk…

MS07-060 Word Could Allow Remote Code Execution


Bunch of IE vulnerabilities – allow crafted UR that is more difficult for users to detect.. one of them was public knowledge.


Apparently the MS word one is publicly exploited, however McAfee have not seen any sample yt – it is believe that this vulnerability has been used for targeted attack.

Many of M$ word vulnerabilities are use in VERY targeted attacks.

Labels: ,

Friday, March 23, 2012

CPE: McAfee AudioParasitic: Episode 17 Offensive side of Security


length:  00:28:59
Special guess Dave Aitel from Immunity – originally from @stake before NIST

Offensive side – security company that provide security tool to test

CANVAS  - penetration testing framework

I want to write exploit for living…we like to find exploits we like to find vulnerability – we like to get paid for it

They made unmask because the code is bad
They are group who targeted sw made by immunity
They found cool cross side scripting

You could attack Canvas quite successfully, surprisingly they have not receive any reporting of vulnerability

Who is the new Britney Spears? It’s the iPhone
Google phone – they want to be the windows of content

Biggest problem: ppl think about deployment then security…

Gmail- why we have to host our own mail server?

Web security analysis – the bet way is NOT to reply on scanner BUT to look at the SQL API to check if there is any vulnerability…
That’s why the debugger become the agent.

One day: agent become analyzer – find -  fix – BUT not feasible as target keep on moving.

Microsoft should be in a VM!!

VM is a tool that McAfee use a lot  - a lot of time when the malware realized  that is in VM environment – it shuts down..

CANVAS – potentially the tool can be used to penetrate, but not the best tool to help the bad guys..

Labels: ,

Thursday, March 22, 2012

CPE: McAfee AudioParasitic: Episode 16:W32/Virut family Parasitic


length:  00:21:42

In the last couple of weeks/months: increase of Virut Family

Bot: classified as worm
Trojan: has its own entity
Parasitic infector: basically go out to append or prepend on existing file on  target victim host

Basically parasitic will infect an existing file as oppose to dropping/loading, which is the behavior or Bot or Trojan.

We really have not see for a while these parasitic – interestingly it’s coming back.
The difficulty of repair probably is the most interesting part to write…
-          People do not realize how destructive parasitic are
-          It can take a day,week, months of man time to clean
-          Also most of the time the virus is not properly QA’d, the result after cleaning it leave a lot of corrupted file
Parasitic infector are really destructive piece of code by nature
Also the same is polymorphic
And has IRC functionality – Virut family is common

The main way of infection:
-          Unsafe browsing
-          Get into network together with another part of download

Labels: ,

Thursday, March 15, 2012

CPE: McAfee AudioParasitic: Episode 15 Patch Tuesday


length:  00:12:16

Critical :

MS07-054 MS messenger remote exec
There is a PoC in Jan
Related to webcam – curious similar to Yahoo! Vulnerability
The PoC seems to be done in China
More and more malware being hosted in China

MS07-051 Ms Agent remote exec
Limited to windows 2000 SP4
remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system.

Labels: ,

CPE: McAfee AudioParasitic: Episode 14 Sony rootkit


length:  00:21:42

Sony released another rootkit!

Seems that they did not learn from the lesson in the past – this is very disturbing
There are malwares that purposely take advantage of that!


All it has to do is doubleclick the exe file and everything disappear!!!

Scandal that Sony & their QA did not realize this is a rootkit behavior & malware writer like this!

Fp.exe drop in a directory – click – disappear.
Then running some security scan ..

Rootkit detective can find some rooted service: fs.sys
Other tools cannot find it!!!

Today 30th Aug, the clock is ticking – it has not been solved by Sony
-          In Sony website this rootkit is till available
-          It’s incredible that Sony is hosting this rootkit tool that can be used by malware writer!

Compare to DRM issu this time we are more prepared as the DRM set a precedence

DAT detect this as PUP: potentially unwanted program
If you are a vendor you should be help more accountable

Sony bosses “most people don’t even know what a rootkit is – why should be worry about it?” – crazy statement.

Labels: ,

CPE: McAfee AudioParasitic: Episode 13 Immunity Debugger

length: 00:14:48


length:  00:14:48
Someone felt offended by Dave comment of Immunity Debugger

Immunity Debugger is a free tool that allow to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.
Cuts exploit development time by 50%

Write exploits, analyze malware, reverse engineer

It’s a good debugger – but is tool that is freely available to help writing malware – this is not good at the end of the day

Very small foot print – very attractive to run
Such a nice easy tool to use that will encourage malware writing.

I know that Dave Aitel did not write this to help the malware writer…

There is a job  offer incorporated: get paid to use this too?
Wanna get paid to work with experienced reverse engineer & exploit developer

May be I gave too much credit – may be they want to help malware writer , there is a conflict here.

Exploit developer is that another writer for malware writer?

By definition is malicious – it’s running code – it’s escalating privilege, it’s incorporated, it’s executing heap overflow and doing some thing else…
-          Injecting whatever code you want to run
-          Dropping trojan
-          Creating user account
It does not get more malicious that that!
Every single software is exploitable – at the end of the day – to write more exploit faster….

Labels: ,

CPE: McAfee AudioParasitic: Episode 12 rootkit detective part 2

length: 00:15:43


Discussion with Ahmed Sallam the developer who wrote rootkit detective

the latest thread is to infect firmware, this put me back 15 years ago when doing work at BIOS level.

System architecture is sooooooo complex and soooo layered - it is sufficient for a rootkit writer to find only one layer that he is interested in - and BOOOM- hide into that layer.

Rootkit is very challenging for the author to find new method

Rootkit is very challenging for the security researcher to repair

 basically very easy to detect but very difficult to repair!!!


Rootkit Detective is not signature-based tool! -it does not say what type of rootkit exists.
It is lowerer stuff - that is indicative of rootkit exist and what can be done.

Compare to backlight, rootkit revealer, etc:
in term of detection most of us know how to detect,  it is not that hard to detect!!!
Rootkit Detective  has very solid technique - which much more stronger process detection1
Filesystem/registry/hive - some good sufficient techniques

We have newer more advanced methods/techniques BUT  for today it is not necessary!

Using the vast database of rootkit samples in house, it is possible to test many methods and technique and decide what methods & technique that should be implemented to sufficiently detect current and future rootkit for the first release.

And more method can be implemented in the future release. No need to implement these other methods now in order to keep some of the weapon hidden for the future...

Scary trend: how rootkit can exploit GPU - scare me to death - it is possible that a rootkit hide in the GPU and infect the operating system.

Closing notes:
The most dangerous hole is at the system architectural level - not at implementation level or at application level.

Labels: ,

CPE: McAfee AudioParasitic: Episode 11 rootkit detective part 1

length: 20:21

Discussion with Ahmed Sallam the developer who wrote rootkit detective

Ahmed background:  started 17 years ago when working on a project on writing a different windows operating system (MS 5.0 and Win 3.0) in arabic version- from left to right
Because of the need to write in arabic, I have to break EVERY SINGLE piece of operating system, the display, I/O, network...
Hence I have seen these potential since very long time.
Everything that has been discussed in the last couple years about rootkit, actually I have known for loooong time ago, going back to more than 15 years ago.

There is only one difference between the malware writer and security researcher: the intention.

The technique to manipulate mapping is well known

Sony BMG technique is known

what is now well known is people fining new area or new data structure inside windows operating system that is good to attack.

Shadow walker was promoted as brand new - but from Ahmed point of view, it's nothing new.

We know this could happen - we know if someone has the knowledge and the skill - these kind of rootkit will exists.... The problem so far, most of the people think this is far too complex and difficult to implement, but McAfee is aware the potential and aware that sooner or later this type of rootkit will emerge.

Rootkit Detective is a stand alone stinger.
The philosophy it to detect rootkit.
It requires change in the engine for memory scanning.
Memory based analysis:  signature based with some level of behavioral analysis.

Then the tool: Rootkit Detective is without any signature - purely relies on behavioral analysis.

There is a big decision making which methods that should be implemented on the first release that is sufficient for today and short/mid term - and which methods that should be kept for future releases.

We have many methods/technique for rootkit detection - but we should not implement all in the first release... as a subset of methods is already sufficient for current being.
These methods, include:
- tool for system integrity checking
- tool to compare the enumeration to identification hiding
- tool with internal AV engine for rootkit signature - memory based scanning
- tool view all malicious modification that has been made
- detection of hidden process & files
- tool that allow user to modify

Rootkit detective is  not integrated in AV because it is because not signature based!!!

Many challenges on repairing!!!
- simplest rootkit: insert code - which can be replaced
- change of data structure / network stack / file system - this is very very tricky.
because when action is taken - windows system might still have some pointer to the code that no longer exist, need to make sure to disable ALL pointers.

Labels: ,

Thursday, March 1, 2012

get well soon Jeb Corliss



many people in the skydiving community make fun of jeb Corliss as he is too self promoting...

but if you see in this video 1:25, after hitting the ground he still has the reflex to open the parachute.... super respect... he deserves to be alive because not many people has that reflex...

Labels: