Sunday, April 29, 2012

CPE: McAfee AudioParasitic: Episode 33 part 1/2Race to Zero going to be held in Def Con


length: 00:15:42

no matter what the bad guy will create undetectable malware
so we should at least benefit on this : “give us the sample!!!”
unfortunately here the rule is : do not share the sample – this is flawed

if sample is not shared- benefit only the bad guys
the good guys also need to receive the sample to analyze

people tend to forget that AV is reactive
it’s nothing that we don’t know

there is no good reason no to share the sample to AV community

at the end of the day, we’re suppose to be the good guy :
AV is dead is blab la bla is not helping anybody

VirusTotal – the AV engine is not optimized configured
Just CLI function
For example: script scan is to access from CLI
Useful to test sample BUT not useful for benchmarking.

Labels: ,

posted by omarg at 6:13 PM 0 Comments

Friday, April 27, 2012

CPE: McAfee AudioParasitic: Episode 32: M$ tuesday


length: 00:12:40

Most critical:
MS08-018: vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file, successful exploitation could take complete control of an affected system.

MS08-025: vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

IE vulnerability can be exploited through remote code exec

Before the patch usually there is a not a lot of activities, but after the patch hast been released, usually there are more.
---- reverse engineering.

Labels: ,

posted by omarg at 8:16 PM 0 Comments

Thursday, April 26, 2012

CPE: McAfee AudioParasitic: Episode 31: SAGE 3


length: 00:30:06

SAGE 3 – examine global malware trends

China Internet users skyrocket up to 500% during the last 5 years
The rest of the world 200%
US 121% during the same time period

China gov has release recommendation to avoid game fatigue, it’s going to lead to localized malware?

China specialized malware, it’s has started in order to be also under the radar

If SPAM wants to be successful, it has to use local language

Phishing attack:  2 years ago 99% of SPAM are English, now 7-8% are non-english , that an awful  a lot fo SPAM
It goes hand in hand with customized malware, it’s one more way to stay under the radar
Most of intelligence is based on certain language
Exploitation through obscurity.

Labels: ,

posted by omarg at 8:27 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 30: M$ patch Tuesday


length: 00:21:40
most critical:

MS08-014: vulnerabilities in Excel that could allow remote code execution if a user opens a specially crafted Excel file.

MS08-017: vulnerabilities in Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page.

People has been burn by Active-X for so many time, this has lead to government release recommendation not to use IE
Drastic time bring to drastic measure

Active-X web component of office , can be drive-by

The words of M$ must trick user to click malicious website make it sounds more difficult than what really is

The was security advisory in January related to 0day that was expected to be patched in the previous patch Tuesday – finally released today

Outlook: capable of remote codeexec – via email
Espionage payload

M$ recommendation: by setting killbits – most people cannot be bother to update AV, they don’t even know what is killbit???

Labels: ,

posted by omarg at 8:14 PM 0 Comments

Wednesday, April 25, 2012

CPE: McAfee AudioParasitic: Episode 29 part 2/2 intellectual property (patent), Mac Security & Virtualization.


length: 00:25:40
Part 2 of intellectual property (patent), Mac Security & Virtualization discussion with Dave, Jim and George  Heron (chief scientist ac McAfee)

OS X actually implemented many of best practices, such as Mandatory access control, application signing, library randomization, cryptographic verification of installation packages
They are good best practice that wil mitigate attacks no matter they come from.

Vista boasted the feature of running as standard user – thy has been years in OS X
Vista security is great, but not cutting edge.

Application sandboxing

Virtualization is probably the only technology that is really distruptive in security

Really chane the fundamental believe & mechanism as something is working today

Virtualization opens up to a whole new level of application

It opens up possibility for bad guys and good guys
It’s not only from economic saving, but it’s going to change also the ball game of malware
It’s allow to look APIs from outside of OS

5 security advantages in virtualization:
1.       Offline scanning
2.       Untethered monitoring – looking registry
3.       backups
4.       ensure compliance
5.       ?

HyperVizor, worries:
1.       Security
2.       Vulnerability
3.       Saving the VM image.

Labels: ,

posted by omarg at 8:55 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 28: M$ patch tuesday


length: 00:15:41

11 bulletins: pulled 1, originally scheduled for 12
17 vulnerabilities: only 1 was public prior release

Most critical
MS08-008: Vulnerability in OLE Automation , allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation.

MS08-009: allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

MS08-010: IE, the most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.

MS08-013: allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document.

The IE vulnerability was a 0day exploit was known to somebody, used in targeted attack

DoS
Privilege escalation
Remote exec
ISS-serverside MS08-006

Worm related vulnerabilities are relatively infrequent, nowadays
IE related vulnerability are much more important

It’s more than 1 year that we seen self replicating malware
Nowadays malware write try to be under the radar


M$ might group together security bulletin for services that require reboot
Lately most of the vulnerability are application vulnerabilities

Labels: ,

posted by omarg at 7:08 PM 0 Comments

Tuesday, April 24, 2012

CPE: McAfee AudioParasitic: Episode 27: part ½ intellectual property (patent), Mac Security & Virtualization.

length: 00:25:40
intellectual property (patent), Mac Security & Virtualization discussion with Dave, Jim and George  Heron (chief scientist ac McAfee)
Studying the security trend

Intellectual Property is a very important component of a company
In average McAfee is filling 100-200 patents/year

Once you submit a patent and it’s accepted, there are a lot of companies whom make nice big place with the patent number

Patent benefits the company, because it gives competitive advantages and also benefit the employee as the get better recognition

Apple is probably the strongest OS in the world at this moment
There are some inherit security benefits
Some security benefit are myth but some are real
The bad guys are targeting the biggest market share, biggest bang for their buck
Smaller shares of Mac gives this advantage, but it is going to change
But Apple has a lot of fundamentally good security infrastructure.
Mac is resilient to certain type of attack.

Data leak is also getting more and more important.
  
Last year (Nov 2007) is was the first time they found a malware targeting OS X platform.
It was a popper- a DNS changer
It was disguised as coded – the group that wrote it was the same group that really really really know how to write advanced malware in windows, such zilock

Labels: ,

posted by omarg at 7:37 PM 0 Comments

Thursday, April 19, 2012

CPE: McAfee AudioParasitic: Episode 26: Verbal Data loss


length: 00:22:47
Verbal data loss
Especially in the airport, you can tell based on their clothes or stuff they wearing which companies they are working for.
You can also hear the whole meeting
Discussing sensitive issue, as they do board meeting, buy order, sell order, all these confidential information, trade secret, account number, reading off the credit number and the secret CVV number.

Of course they yell all this information because they are in a noisy public place

People must understand and follow proper rule of engagement.

People must/should anomize themselves , sometime security by obscurity works

People must be aware of the surroundings

This is the difference between audioparasitic compare to other podcast, we talk about problem that does not have solution hehehe

Labels: ,

posted by omarg at 7:22 PM 0 Comments

Wednesday, April 18, 2012

CPE: McAfee AudioParasitic: Episode 25: M$ Tuesday patch

Length: 00:08:01
most critical:
MS08-001: vulnerabilities in TCP/IP processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS08-002: vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). The vulnerability could allow an attacker to run arbitrary code with elevated privileges.

Labels: ,

posted by omarg at 8:35 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 24: Virtual Criminology report


length: 00:28:28
growing popularity of custom trojan
highly QA’d subscription based malware

you can go to a website and order your own malware, plus you can get support , it’s “underground” , very active, started with HackerDefended days, the Holy Father
update every 3 months & guaranteed to avoid detection

then you can use online testing, such VirusTotal to QA – not necessarily you have the share the sample!!!

Should the writing of exploit, buying, selling considered illegal?
Companies that look/buy/bounty of vulnerability can cause more harm
Every time you put money in the equation, there will be evil component

When malware going PARASITIC, it’s going to be nightmare
More sophistication, easier to ransom, it’s high level coding
More complex to clean & restore

A lot of attack to foreign government has China as reference state sponsored malware writing group?

Labels: ,

posted by omarg at 7:48 PM 0 Comments

Tuesday, April 3, 2012

CPE: McAfee AudioParasitic: Episode 23: M$ patch tuesday


length: 00:16:01
most critical:
MS07-069 IE vulnerability , in the wind but without public detail
MS07-064: allow code execution if a user opened a specially crafted file used for streaming media in DirectX.
MS07-068: allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime.

Labels: ,

posted by omarg at 9:33 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 22: 2008 McAfee Avert threat forecast


length: 00:31:41
1.       Web 2.0: can be fixed quickly once found, victim of their own success, more personalized attacks, radically changed its exploit overtime
2.       Botnet: follow the storm, storm constantly moving
3.       IM: instant messaging malware, we’re expecting instant messaging worm
4.       Online game: money to be made+ less risky
5.       Vista join the party: deployment footprint
6.       Adware: continuous decline, peaked in 2007
7.       Phiser catch the wider net
8.       Parasitic crimeware takes the root: harder to remove
9.       Virtualization : transform infosec
10.   VoIP attack rise 50%

Storm: 1000 new variants/day, server side polymorphism, use P2P command & control

Parasitic: it’s old school technique, basically being parasitic in an environment, probably now with many younger AV companies, this is a good strategy as they don’t have protection.

Labels: ,

posted by omarg at 8:32 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 21: MS patch


length: 00:07:41

2 bulletins

MS07-061 URI handling issue
IE 7 is vulnerable!
MS just acknowledge this issue, initially firefox reported this issue – M$ responded it was application responsibility  to validate the URI… however then M$ products are also affected
As Adobe has released a patch – active exploit targeting SPAM with PDF.

This has been pseudo public since quite some time…

MS07-062 DNS spoofing
Affecting DNS servers only
Not known to be public prior this publication.

Labels: ,

posted by omarg at 7:30 PM 0 Comments

CPE: McAfee AudioParasitic: Episode 20 Virtualization part 2/2


length:  00:23:00
Special guests: Rafal Wojtczuk and Rahul Kashyap.

When you go virtual, you will have same security problem
When deploying virtual environment need to prepare security wisely

It’s naïve to think that that virtual = secure

Virtualization has a lot to offer:
-          Offer separation
-          Offer much level of control
It’s difficult to detect rootkit, hypervisor offer a new level, allow freeze the system and analyze it – including analyzing the system accurately
This procedure cannot be tempered by the code running at guess level
-          Create opportunity to AV companies having this level of control & access – get better view of the state of the OS

Trusted computing could be very important solution
If there is rootkit – hard to detect – having secure channel helps!

In BSD & linux: KVM Kernel Virtual Memory

Can VM be detected via network?
As easch VM guest get a slice of processing time, in round robin, it is possible to do packet analysis – looking at the rate of how packet is created – it’s possible to guess if it’s a VM..

Labels: ,

posted by omarg at 7:11 PM 0 Comments