quinta-feira, 23 de dezembro de 2010

Emerging Threats x VRT Rules - Enable versus Classtype

Playing with bot ruleset I start to analyze some differences between them in special enable x disable rules based on classtype or category . As base I'm using VRT tarball from Nov 23th and ET emerging-all from Dec 22nd .

About VRT (I only analyzed plain-text rules):

Total Plain-text Rules: 16301
Total Enable: 4597
Total Disable: 11704

Enable rules x Category/Classtype

   1370 Status: Enable Category: attempted-user
    925 Status: Enable Category: misc-activity
    646 Status: Enable Category: trojan-activity
    419 Status: Enable Category: attempted-admin
    287 Status: Enable Category: successful-recon-limited
    249 Status: Enable Category: protocol-command-decode
    114 Status: Enable Category: attempted-dos
    111 Status: Enable Category: misc-attack
    108 Status: Enable Category: rpc-portmap-decode
    106 Status: Enable Category: policy-violation
     77 Status: Enable Category: attempted-recon
     42 Status: Enable Category: shellcode-detect
     34 Status: Enable Category: bad-unknown
     32 Status: Enable Category: web-application-attack
     16 Status: Enable Category: denial-of-service
     13 Status: Enable Category: suspicious-filename-detect
     12 Status: Enable Category: suspicious-login
     10 Status: Enable Category: unsuccessful-user
      6 Status: Enable Category: web-application-activity
      5 Status: Enable Category: successful-admin
      4 Status: Enable Category: system-call-detect
      4 Status: Enable Category: string-detect
      4 Status: Enable Category: network-scan
      1 Status: Enable Category: unknown
      1 Status: Enable Category: successful-user
      1 Status: Enable Category: not-suspicious

General Category/Classtype

   3764  attempted-user
   3612  attempted-admin
   3516  protocol-command-decode
   1228  misc-activity
   1119  trojan-activity
    520  web-application-activity
    425  web-application-attack
    358  attempted-recon
    328  bad-unknown
    308  successful-recon-limited
    301  policy-violation
    266  attempted-dos
    198  misc-attack
    133  rpc-portmap-decode
     67  shellcode-detect
     35  suspicious-filename-detect
     32  denial-of-service
     19  suspicious-login
     15  not-suspicious
     12  unsuccessful-user
      9  successful-admin
      8  non-standard-protocol
      6  default-login-attempt
      5  system-call-detect
      5  network-scan
      4  unknown
      4  string-detect
      3  unusual-client-port-connection
      1  successful-user

About ET 

Total Plain-text Rules: 11517
Total Enable: 9644
Total Disable: 1873

Enable rules x Category/Classtype

   5049 Status: Enable Category: web-application-attack
   1617 Status: Enable Category: trojan-activity
    474 Status: Enable Category: attempted-user
    376 Status: Enable Category:  trojan-activity
    339 Status: Enable Category: protocol-command-decode
    295 Status: Enable Category: attempted-admin
    265 Status: Enable Category: policy-violation
    206 Status: Enable Category:  policy-violation
    176 Status: Enable Category: attempted-recon
    167 Status: Enable Category: bad-unknown
    102 Status: Enable Category: misc-attack
     81 Status: Enable Category: misc-activity
     81 Status: Enable Category: attempted-dos
     80 Status: Enable Category: rpc-portmap-decode
     54 Status: Enable Category: web-application-activity
     40 Status: Enable Category:  misc-activity
     32 Status: Enable Category:  web-application-attack
     30 Status: Enable Category: shellcode-detect
     16 Status: Enable Category: denial-of-service
     16 Status: Enable Category:  attempted-recon
     13 Status: Enable Category: not-suspicious
     12 Status: Enable Category: suspicious-filename-detect
     12 Status: Enable Category:  attempted-admin
     11 Status: Enable Category: unsuccessful-user
     11 Status: Enable Category:  misc-attack
     10 Status: Enable Category: successful-admin
     10 Status: Enable Category:  string-detect
     10 Status: Enable Category:  attempted-dos
      9 Status: Enable Category: suspicious-login
      5 Status: Enable Category: default-login-attempt
      4 Status: Enable Category: unknown
      4 Status: Enable Category:  suspicious-login
      4 Status: Enable Category: successful-user
      4 Status: Enable Category: non-standard-protocol
      4 Status: Enable Category: network-scan
      3 Status: Enable Category:  web-application-activity
      3 Status: Enable Category: system-call-detect
      3 Status: Enable Category: successful-recon-limited
      3 Status: Enable Category: successful-dos
      3 Status: Enable Category:  bad-unknown
      2 Status: Enable Category: unusual-client-port-connection
      2 Status: Enable Category:  not-suspicious
      1 Status: Enable Category:  successful-admin
      1 Status: Enable Category: string-detect
      1 Status: Enable Category:  shellcode-detect
      1 Status: Enable Category:  denial-of-service
      1 Status: Enable Category:  attempted-user

General Category/Classtype

   5213  web-application-attack
   1799  trojan-activity
    643  attempted-user
    568  policy-violation
    410   trojan-activity
    384  protocol-command-decode
    373  attempted-admin
    300  misc-activity
    276  attempted-recon
    268   policy-violation
    238  bad-unknown
    137  shellcode-detect
    136  attempted-dos
    134  misc-attack
     95  web-application-activity
     88  rpc-portmap-decode
     80   misc-activity
     39  not-suspicious
     36   web-application-attack
     27  successful-user
     25   attempted-recon
     20  unusual-client-port-connection
     17   misc-attack
     17  denial-of-service
     16  suspicious-filename-detect
     16   attempted-admin
     14  successful-admin
     13   attempted-dos
     12   bad-unknown
     11  unsuccessful-user
     11  unknown
     11  suspicious-login
     11   string-detect
     10   not-suspicious
     10  non-standard-protocol
      7  default-login-attempt
      5  system-call-detect
      5  successful-recon-limited
      5  network-scan
      4   web-application-activity
      4   suspicious-login
      4   suspicious-filename-detect
      4   shellcode-detect
      4   attempted-user
      3  successful-dos
      2  string-detect
      2   denial-of-service
      1   successful-admin
      1   non-standard-protocol

In summary:

- ET has almost double rules enable by default
- VRT most enable rules focus on attempted-user
- ET most enable rules focus on web-application-attack and trojan-activity
- Rules from ET and VRT target different protections what you should analyze where you will seat your sensor for best decision or using both and mixing them

I just did some basic scripting and my numbers could not be accurate but it's a good base .

Happy Snorting!

Rodrigo Montoro (Sp0oKeR)

quarta-feira, 6 de outubro de 2010

Palestras no Brasil - OWASP e H2HC


Faz um tempo desde o último post mas a vida anda corrida por esses lados .  Faço esse post para comentar mais 2 palestras aceitas só que agora no Brasil felizmente .

A primeira ocorrerá no OWASP AppSec Brasil que acontecerá em Campinas onde falarei do uso do Modsecurity WAF para Virtual Patching ( http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Speakers)

Mais info: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Calls

Outra que tive o prazer de ser aceito e falarei pela primeira vez sera a Hackers to Hackers Conference aka H2HC . Nela falarei sobre minha pdf de scoring da estrutura do pdf o que me deixa bem feliz de falar sobre ela por aqui também. 

Mais info: http://www.h2hc.com.br

Espero encontrar com vocês lá .

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

quarta-feira, 8 de setembro de 2010

PDF Talk Accepted at Toorcon San Diego

I'm very excited that my talk was accepted at Toorcon San Diego. About the conference:

Who:    Hackers Like You.
What:   ToorCon 12
When:   OCT 22rd-24th
Where:  San Diego Convention Center
Why:    What Could possibly go wrong?

I'll be talking about part of my research at Trustwave Spiderlabs Research where we are doing a new way to detect malicious pdf files . The title for my talk: "Scoring PDF structure to detect malicious files"

Preliminary Agenda for Toorcon: http://sandiego.toorcon.org/index.php?option=com_content&task=section&id=3&Itemid=9#lineup

Hope to see you there!

Rodrigo "Sp0oKeR" Montoro

quinta-feira, 2 de setembro de 2010

Snort Rules - Using content:"GET "; or not ?

I'm doing some tests with different rules since I'm creating a rules test labs and based on some old read/thread and one simple test here I started to look why do we use content:"GET "; in a lot of rules since it'll not be the first match mostly.

My first test that I started to notice what I read before was about using http_method or not with engine 2.8.6 .

My pcap I created a very simple GET / (packet  5)

$ tshark -r get-NoHost.pcap
 1   0.000000 -> TCP 61599 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=534894464 TSER=0

2   0.001384 -> TCP 61599 > http [ACK]
Seq=1 Ack=1 Win=524280 Len=0 TSV=534894464 TSER=134793051

 3   3.798825 -> TCP [TCP Dup ACK 2#1]
61599 > http [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=534894502

 4   7.348575 -> TCP [TCP segment of a
reassembled PDU]

 5   7.892566 -> HTTP GET / HTTP/1.0

 6   8.197800 -> TCP 61599 > http [ACK]
Seq=19 Ack=325 Win=524280 Len=0 TSV=534894546 TSER=134795100

 7   8.202863 -> TCP 61599 > http [ACK]
Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102

 8   8.202895 -> TCP 61599 > http [FIN,
ACK] Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102

I used those rules for testing the basics in my lab:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_method;content:"index";sid:654321;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET";fast_pattern;content:"ABCDE";sid:9845324;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:

And as result I got

$ perl rule-test-check.pl get-NoHost.pcap rules-samples/rules-new.rules snort.conf

SpiderLabs Rules Test version 0.1 Alpha

Result: Checked 123456 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_

Result: NoCheck 654321 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_

Result: NoCheck 23465324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without http_method";content:"GET";

Result: Checked 9845324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET";

Result: Checked 4365324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:

Count Summary

Checked: 3
NotChecked: 2


Checked means that there is some output for this sid for one basic check at least (I'm using as base content GET since we have the packet number 5 with it) .

Based on that I remembered a good thread where Will Metacalf and Steve discuss some new features and http_modifiers use http://sourceforge.net/mailarchive/message.php?msg_name=c13e433a1003092015v2d86f9a7x2eb73a2528df09f3%40mail.gmail.com .

So I tested based on some very basic grep at emerging-all.rules  "grep content:"GET " emerging-all.rules " . Using the rules that were output I ran my test against those rules (around 1047 rules) and the summary results:

Checked: 4
NotChecked: 1043

I started to figured out that content:"GET "; when we use that is tobe the first match BUT if you don't specify fast_pattern by default it'll be the bigger content to match ( http://vrt-sourcefire.blogspot.com/2009/07/rule-performance-part-one-content.html ) . So with another basic sed I changed the rules a little bit " sed -e 's/content:"GET ";/content:"GET ";fast_pattern;/g' " where it change for example:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010729; rev:3;)
fast_pattern debug choosing the biggest content found
 Fast pattern matcher: URI content
 Fast pattern set: no
 Fast pattern only: no
 Negated: no
 Pattern offset,length: none
 Pattern truncated: no
 Original pattern
 Final pattern

After sed

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET ";fast_pattern; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010729; rev:3;)

Rules fast_pattern debug using this option

 Fast pattern matcher: Content
 Fast pattern set: yes
 Fast pattern only: no
 Negated: no
 Pattern offset,length: none
 Pattern truncated: no
 Original pattern
 Final pattern

I rerun the same test and I got:

Checked: 976
NotChecked: 71

* Where NotChecked are mostly some GET content in a different way since I'm doing pretty basic grep/sed and not being so accurate =) .

The last test I changed fast_pattern to http_method but http_method only receive the normalize buffer but the default fast_pattern is the same , that's mean bigger content  so no change from the first result.

So my question is:  do we really need to analyze GET or POST (probably the same behavior since it's a short name) ? Did somebody try/test something like this before ? am I getting nuts talking about this? =D

In my opinion we could remove content:"GET ";  from the rules since it'll only use some checks and "decrease" the performance . I think we already have lot of point that make sure that it's a http traffic since using $HTTP_PORTS , flow , uricontent that comes from http_inspect and so on.
Some friends that I discussed about this told some point as : "maybe the attack can only be done using GET so it's good to specify since using POST will generate a false positive". My argument is the opposite since most rules we are not sure if that works with GET and/or POST only if we don't use them as part of the rule we will mitigate False Negatives and maybe save lot of CPU's cycle (but we need test to make sure about that) . I really prefer couple of FP than FN's .
What do you think ?

Rodrigo "Sp0oKeR" Montoro

quarta-feira, 1 de setembro de 2010

(IN)Secure Magazine Issue 17 released

New release of this awesome digital and free magazine

  • Review: BlockMaster SafeStick secure USB flash drive
  • The devil is in the details: Securing the enterprise against the cloud
  • Cybercrime may be on the rise, but authentication evolves to defeat it
  • Learning from bruteforcers
  • PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
  • Security testing - the key to software quality
  • A brief history of security and the mobile enterprise
  • Payment card security: Risk and control assessments
  • Security as a process: Does your security team fuzz?
  • Book review: Designing Network Security, 2nd Edition
  • Intelligent security: Countering sophisticated fraud

To download it:  http://www.net-security.org/insecuremag.php


Rodrigo "Sp0oKeR" Montoro

sexta-feira, 27 de agosto de 2010

ISSA Day Julho com Conviso falando Blackhat/Defcon/B-Sides

O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Agosto 2010.
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Conviso IT Security.
Conviso IT Security
Data: 31 de Agosto de 2010, das 19:00h às 22:00h
19h00 – Credenciamento,
19h30 – Palestra da ISSA - Por que ser ISSA?
20h00 – Abertura falando sobre a Conviso.
20h15 – O processo de segurança em desenvolvimento, que não é ISO 15.408
21h00 – Palestra sobre a Black Hat e Defcon
21h45 – Sorteio de Treinamento Conviso e Encerramento – Com HH
Bar Genoino.
Rua Joaquim Távora 1217,  Vila Mariana – São Paulo – SP

Para se inscrever: http://www.issabrasil.org/2010/08/24/issa-day-agosto-2010/

Estarei lá certamente =)!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

quarta-feira, 18 de agosto de 2010

Updated some info for SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

Virus Total Public API will make my live much easier . Look previous post about it http://spookerlabs.blogspot.com/2010/08/virus-total-public-api.html .

Some results really surprised me . Take a look and do your all conclusions .

Best AntiVirus to detect SET Malicious PDF (higher is better):

      7  "Sophos"
      7  "Microsoft"
      7  "GData"
      7  "F-Secure"
      7  "F-Prot"
      7  "ClamAV"
      7  "BitDefender"
      7  "Avast5"
      7  "Avast"
      6  "Sunbelt"
      6 "nProtect"
      6  "McAfee-GW-Edition"
      6  "eTrust-Vet"
      5  "Symantec"
      5  "PCTools"
      4  "eSafe"
      3  "NOD32"
      3  "Kaspersky"
      3  "Ikarus"
      3  "Emsisoft"
      3  "Antiy-AVL"
      2  "McAfee"
      1  "VBA32"
      1  "Panda"
      1  "AVG"
      1  "Authentium"
      1  "AntiVir"
      1  "AhnLab-V3"

Missed PDF detection for SET malicious PDF's (higher is worst) :

      7  "VirusBuster"
      7  "ViRobot"
      7  "TrendMicro-HouseCall"
      7  "TrendMicro"
      7  "TheHacker"
      7  "SUPERAntiSpyware"
      7  "Rising"
      7  "Prevx"
      7  "Norman"
      7  "Jiangmin"
      7  "Fortinet"
      7  "DrWeb"
      7  "Comodo"
      7  "CAT-QuickHeal"
      6  "VBA32"
      6  "Panda"
      6  "AVG"
      6  "Authentium"
      6  "AntiVir"
      6  "AhnLab-V3"
      5  "McAfee"
      4  "NOD32"
      4  "Kaspersky"
      4  "Ikarus"
      4  "Emsisoft"
      4  "Antiy-AVL"
      3  "eSafe"
      2  "Symantec"
      2  "PCTools"
      1  "Sunbelt"
      1 "nProtect"
      1  "McAfee-GW-Edition"
      1  "eTrust-Vet"

As we can see lot of AntiVirus missed all PDF from SET what is a big problem for companies . Some AntiVirus have some methods that VirusTotal doesn't emulate and possible those methods could detect them .

I'll do a big analysis against all my pdf's and share the results .

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

terça-feira, 17 de agosto de 2010

Virus Total Public API

Today I started to play with Virus Total Public API http://www.virustotal.com/advanced.html

My initial idea was to send files using command line and get the results quickly so I don't need a web browser and spend time uploading the file .

I read their inital samples/docs and build a mix of codes using python (most retrieve from their samples) and perl (only language I can try somehting) . By now what I have :

$ perl vt-auto.pl /LABS/pdf-basics/samples/AdamSamples/15

Sending file /LABS/pdf-basics/samples/AdamSamples/15 to Virus Total ...
Response from VT with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Waiting 120 seconds to wait file /LABS/pdf-basics/samples/AdamSamples/15 be scanned ...

Sending request fo Virus Total about /LABS/pdf-basics/samples/AdamSamples/15 with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Report Results for /LABS/pdf-basics/samples/AdamSamples/15 :
"nProtect": "Trojan-Exploit/W32.Pidief.16718.AV"
 "CAT-QuickHeal": ""
 "McAfee": "Exploit-PDF.b.gen"
 "TheHacker": ""
 "VirusBuster": "JS.Crypt.BSP"
 "NOD32": "PDF/Exploit.Pidief.AUT"
 "F-Prot": "JS/Psyme.HU"
 "Symantec": "Trojan.Pidief.D"
 "Norman": "JS/Shellcode.GS"
 "TrendMicro-HouseCall": "TROJ_PIDIEF.ADY"
 "Avast": "JS:Pdfka-PO"
 "eSafe": "PDF.Exploit.2"
 "ClamAV": "Suspect.PDF.ObfuscatedJS-5"
 "Kaspersky": "Exploit.Win32.Pidief.aut"
 "BitDefender": "Exploit.PDF-JS.Gen"
 "ViRobot": ""
 "Sophos": "Mal/PdfEx-C"
 "Comodo": "TrojWare.Win32.Exploit.Pidief.aut"
 "F-Secure": "Exploit.PDF-JS.Gen"
 "DrWeb": "Exploit.PDF.166"
 "AntiVir": "EXP/Pidief.JX"
 "TrendMicro": "TROJ_PIDIEF.ADY"
 "Emsisoft": "Exploit.Pidief!IK"
 "eTrust-Vet": "PDF/Pidief.IQ"
 "Authentium": "PDF/Obfusc.D!Camelot"
 "Jiangmin": ""
 "Antiy-AVL": "Exploit/Win32.Pidief"
 "Microsoft": "Exploit:Win32/Pdfjsc.AS"
 "SUPERAntiSpyware": ""
 "Prevx": ""
 "GData": "Exploit.PDF-JS.Gen"
 "AhnLab-V3": "PDF/Shellcode"
 "VBA32": ""
 "Sunbelt": "Exploit.PDF-JS.Gen (v)"
 "PCTools": "Trojan.Pidief"
 "Rising": ""
 "Ikarus": "Exploit.Pidief"
 "Fortinet": ""
 "AVG": "Exploit"
 "Panda": ""
 "Avast5": "JS:Pdfka-PO"

Detection : (31/41)

I'll improve and fix the code so I can share because now it's impossible . That 120 seconds that I wait is just to make sure that the scan will finish before I try to retrive the results but sometimes depending on file size it'll probably fail .

Nice resource from VirusTotal Team , congratulations!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

segunda-feira, 16 de agosto de 2010

SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

Since Social Engineer Toolkit aka SET is being using in the wild I solved to create their pdf’s and tests against AntiVirus Vendors and against  new detection scoring based on Spiderlabs Research .

  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Written by David Kennedy (ReL1K)          [---]
  [---]                 Version: 0.6.1                   [---]
  [---]            Codename: 'Arnold Palmer'             [---]
  [---]     Report bugs to: davek@social-engineer.org    [---]
  [---]        Java Applet Written by: Thomas Werth      [---]
  [---]        Homepage: http://www.secmaniac.com        [---]
  [---]     Framework: http://www.social-engineer.org    [---]
  [---]       Over 1 million downloads and counting.     [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
             Follow me on Twitter: dave_rel1k

       DerbyCon 2011 Sep29-Oct02 - A new era begins...

Select from the menu on what you would like to do:

1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7   Update the Metasploit Framework
8.  Update the Social-Engineer Toolkit
9.  Help, Credits, and About
10. Exit the Social-Engineer Toolkit

Enter your choice: 1

1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1

1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow

7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Enter the number you want (press enter for default):

1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)

Enter the payload you want (press enter for default):

* All payload 1 – Windows Reverse TCP Shell with port 2345

1. Adobe Flash Player 'newfunction' Invalid Pointer Use


File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)

$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf

flashplayer-newfunction.pdf Malicious PDF Detected

2. Adobe Collab.collectEmailInfo Buffer Overflow


File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)

$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf

collab-collectEmailInfo.pdf Malicious PDF Detected

3. Adobe Collab.getIcon Buffer Overflow

File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)

pdf-analisys.pl -s1 -f collab-getIcon.pdf

collab-getIcon.pdf Malicious PDF Detected

4. Adobe JBIG2Decode Memory Corruption Exploit


File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)

$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf

JBIG2Decode.pdf Malicious PDF Detected

5. Adobe PDF Embedded EXE Social Engineering

File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)

$ pdf-analisys.pl -s1 -f embeddedfile.pdf

embeddedfile.pdf Malicious PDF Detected

6. Adobe util.printf() Buffer Overflow


File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)

$ pdf-analisys.pl -s1 -f utilprintf.pdf

utilprintf.pdf Malicious PDF Detected

8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)

pdf-analisys.pl -s1 -f U3D.pdf

U3D.pdf Malicious PDF Detected

Clamav Results

collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1

* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .

Virus Total Results

Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)

Average Detection: 14,85 / 42 or 35,37%

Top5* AntiVirus Results

* Top5 antivirus based on most common names not in detection rates

** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Scoring System Results 

collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected

We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .

Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .


Rodrigo "Sp0oKeR" Montoro

quinta-feira, 5 de agosto de 2010

Pic from Vegas/Blackhat/Caesar

Only picture with part of Brazilian friends in Vegas in front of Caesars after Blackhat 2010

Mab ,  Rodrigo , Wendel , Bruno and Fio

Nice Blackhat staff shirt no ? =D

I'll write a post about Blackhat/Defcon/Spiderlabs meeting during this week yet =)


Rodrigo Montoro (Sp0oKeR)

quarta-feira, 4 de agosto de 2010

RazorBack - New Sourcefire VRT Project

VRT guys just released at Defcon 18 version 0.1 for RazorBack . The project is REALLY interesting and it's targeting client-side attack mostly since that's currently where most attacks are .

What is RazorBack ?

Project Razorback™ is an undertaking by the Sourcefire VRT.
Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.

The project page could be found here : http://labs.snort.org/razorback/

There you will find the slides, papers,  0.1 files version. Besides that they created a new channel at irc.freenode.net #razorback .

I'll try to do lot of test in next week and post about those here .

For sure this project will grow a lot quickly and kickass in the future . Get involved . I'll for sure .

Happy Snorting!

Rodrigo Montoro (Sp0oKeR)

terça-feira, 27 de julho de 2010

Snort 2.9.0 Beta Available

Awesome new features coming with snort 2.9.0 . I'll do lot of tests after Blackhat/Defcon .

A beta version of Snort 2.9.0 is now available on snort.org, at

Snort 2.9.0 introduces:

  * Feature rich IPS mode including improvements to Stream for
    inline deployments.  Additionally a common active response API is
    used for all packet responses, including those from Stream,
    Respond, or React.  A new response module, respond3, supports the
    syntax of both resp & resp2, including strafing for passive
    deployments.  When Snort is deployed inline, a new preprocessor
    has been added to handle packet normalization to allow Snort
    to interpret a packet the same way as the receiving host.

  * Use of a Data Acquisition API (DAQ) that supports many different
    packet access methods including libpcap, netfilterq, IPFW, and
    afpacket.  For libpcap, version 1.0 or higher is now required.
    The DAQ library can be updated independently from Snort and is
    a separate module that Snort links.  See README.daq for details
    on using Snort and the new DAQ.

  * Updates to HTTP Inspect to extract and log IP addresses from
    X-Forward-For and True-Client-IP header fields when Snort generates
    events on HTTP traffic.

  * A new rule option 'byte_extract' that allows extracted values to
    be used in subsequent rule options for isdataat, byte_test,
    byte_jump, and content distance/within/depth/offset.

  * Updates to SMTP preprocessor to support MIME attachment decoding
    across multiple packets.

  * Ability to "test" drop rules using Inline Test Mode.  Snort will
    indicate a packet would have been dropped in the unified2 or
    console event log if policy mode was set to inline.

  * Two new rule options to support base64 decoding of certain pieces
    of data and inspection of the base64 data via subsequent rule

  * Updates to the Snort packet decoders for IPv6 for improvements to
    anomaly detection.

  * Added a new pattern matcher that supports Intel's Quick Assist
    Technology for improved performance on supported hardware
    platforms.  Visit http://www.intel.com to find out more about
    Intel Quick Assist.  The following document describes Snort's
    integration with the Quick Assist Technology

  * Reference applications for reading unified2 output that handle
    all unified2 record formats used by Snort.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Happy Snorting!
The Snort Release Team

sexta-feira, 23 de julho de 2010

Updates/New Features at ViCheck and VirusTotal

This week those nice online tools made great enhancements specially ViCheck

From ViCheck Blog:

Report page enhancements and Email Report 

For recently processed documents such as PDF or MS Office (engine >=193) we are now highlighting more information about the embedded executable such as the encryption/cipher method and information about the key.

To read and see samples about those:


From Virus Total Blog:

They added new engine from SUPERAntiSpyware ( http://www.superantispyware.com/ ) what I help to improve the AV detection rates. Hope it's something not too static only . I really never heard about this engine before .

To read about this: http://blog.hispasec.com/virustotal/49

 Happy Hacking!

Rodrigo Montoro (Sp0oKeR)

quinta-feira, 22 de julho de 2010

Blackhat / Defcon Las Vegas (english)


This week I'm going to Vegas cause 3 reasons (not in particular order) :

1-) I'm invited to be staff at Blackhat. I'll be Speaker Proctor and I'm very excited with that since I will be in touch with awesome security guys and specially I'll have a Staff T-shirt with my nickname (that's too nerds I know but I love conferences tshirts).

2-) Defcon as always good talks and 10% of Blackhat's price what make it perfect to go .

3-) Spiderlabs Summer Meeting  where all my spiderlabs team will meet there, discuss projects, futures , keep in touch in person since we are world spread.



If you are going to Vegas ping me and let's talk and have some beers.

Beside me lot of brazilian will be there too as Thiago Bordini, Clebeer , Bruno (mphx2) , Luiz Eduardo (le) , Willian Caprino (Billy) , Cristiane Baffa, Wendel , Rodrigo Rubira  (bsdaemon) , Fernando Amatte and others .

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

Blackhat / Defcon Las Vegas (pt_BR)

Essa semana estou indo para Las Vegas por 3 motivos:

1-) Fui convidado para ser Staff na Blackhat, estou muito feliz com isso e quem sabe nao abro porta para outros brasilieiros nos anos seguintes . Serei o que chamam de Speaker Proctor e como bom nerds o que estou mega empolgado sera com a camiseta de staff com meu nick la

2-) Defcon como sempre o melhor custo beneficio de eventos visto que custa 10% da Blackhat

3-) Spiderlabs Summer Meeting ou seja, reuniao de todo o time do Spiderlabs no mundo que acontece em conjunto com as duas conferencias, combinacao perfeita de datas .



Se for para la entre em contato para papearmos e tomarmos uma cerveja .

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

terça-feira, 20 de julho de 2010

Not Malicious PDF - Which online tool should we trust ?


Since people trust this blog and what I write here I always try my best. Unfortunatly sometimes we make some mistakes. My last post was about 0/43 malicious PDF not being detect by any Antivirus , since the begin I was in doubt about if it was malicious or not so I tested against some webtools as you read at my last post http://spookerlabs.blogspot.com/2010/07/malicious-pdf-not-detected-by-any.html

When I got 0/43 and analyzing the PDF structure with Didier Stevens tools I can say that the score was 1 x 1 since VirusTotal considered normal and pdfid pointed to something not common .

One point that I listed in the other post was the JSunpack Detection that just trys to find the word getAnnots (since it's not common used) . Another point that I was looking and not feel confortable was about JoeDoc results that told the PDF was exploitable at 9.2 version and CVE-2009-1492 just affects until 9.1 version

From : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492

"The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. "

Based on that the real results about the tools and this analysis :

JSunpack - Failed

$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V

[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected 

rule getAnnots: decodedPDF
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
$cve20091492 = "getAnnots" nocase fullword
1 of them

www.vicheck.ca - Failed

Date: 2010-07-15 18:59:54
Web submission from


EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)


Confidence ranking: 75 (2 hits).

External hash searches:

VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New

PDF Structure - "Failed" but I can say that I analyzed lot of samples and this isn't a common file format for normal PDF

1 Page file
/Javascript e /JS options

Virustotal - OK - http://www.virustotal.com

JoeDoc - Failed - http://www.joedoc.org

Joedoc (Beta) has detected the the following results:

Runtime detections:

- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5

This sample is that kind of sample that have everything to be malicious but it's not. To make sure I installed a VM and opened this file (Adobe 8 version) and a new sample  that reported as the same that @2gg shared again that make feel confortable to say that it's a False Positive .

Sorry about that but I'll always try my best and I'll triple check next time since double check failed! Anyway in my opinion is better a False Positive with this uncommon file that you can handle that a False Negative with something much similar and malicious for real .

Keep reading since we will have lot of good stuff about our research in the future and for sure with few False Positives and Negatives as any malware detection tool .

Regards ,

Rodrigo Montoro (Sp0oKeR)

segunda-feira, 19 de julho de 2010

Malicious PDF not detected by any antivirus signature (Updated/Incorrect)

Please read the new post explaining what this post was wrong



Today I got something curious in my PDF analysis:

@2gg a friend from twitter sent me some samples and 3 of them I tried to run against VirusTotal to make sure my research isn't generating False Positives(FP). For my surprise I uploaded a file to there and I got the detection Results: 0/43 .

File name:
Submission date:
2010-07-15 15:42:59 (UTC)
Current status:

0/ 43 (0.0%)

Our Research result was:

/LABS/pdf-basics$ perl pdf-analisys.pl -f c0610pall_MPA_Kit.re.pdf

c0610pall_MPA_Kit.re.pdf Malicious PDF Detected

That means that my script was generating a FP but based on analysis using Didier Stevens tools I was thinking that Antivirus failed totally against this sample.

So I ran the PDF against jsunpack-n to have a third test and I got:

$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V

[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected

info: [decodingLevel=0] JavaScript in PDF 1298 bytes, with 1329 bytes headers
info: [decodingLevel=1] found JavaScript
info: file: saved /LABS/pdf-basics/samples/twitter2/c0610pall_MPA_Kit.re.pdf.maybe.vir to (./files/original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181)
file: decoding_438f8880e0e100142aae652071590ba9ea2c572a: 2627 bytes
file: original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181: 1406792 bytes

Talking to Mila from http://contagiodump.blogspot.com she pointed me to jsunpack result online http://jsunpack.jeek.org/dec/go?report=763c8312212dc379e18facb9d96815af36eb79ba .

Another things that pointed me that it a malicious file and I needed to figured out how to comprove was based on pdfid output :

PDFiD 0.0.11 c0610pall_MPA_Kit.re.pdf
PDF Header: %PDF-1.7
obj 60
endobj 60
stream 21
endstream 22
xref 2
trailer 2
startxref 2
/Page 1
/Encrypt 0
/ObjStm 2
/JS 1 /JavaScript 2
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/URI 2
/EmbeddedFile 0
/EmbeddedFiles 1
/cmd 0
/Action 0
/Launch 0
/Colors > 2^24 0

Based on that I started to test more in deep to try to make sure about this 0/43 result isn't a false negative or my research was generating a false positive

Analyzing JSunpack detection code I found

rule getAnnots: decodedPDF
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
$cve20091492 = "getAnnots" nocase fullword
1 of them

That means that those alert didn't really mean that something is trying to exploit the flaw since getAnnots is a feature (not widely or common used) at PDF .

So @snowfl0w from http://contagiodump.blogspot.com pointed me to a very nice check website called https://www.vicheck.ca where I sent the sample and got the follow results:


Thank you for your recent submission to vicheck.ca.

Date: 2010-07-15 18:59:54
Web submission from


EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)

REPORT: https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb

Confidence ranking: 75 (2 hits).

External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New


As last test I sent it to joedoc.org and I got good results too

Joedoc (Beta) has detected the the following results:

Runtime detections:

- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5

Special thanks for @2gg and @snowfl0w

** About Virus Total it basically runs the sample against signatures and some AV protections have some behavior analysis among other tests that weren't realized against this sample.


Rodrigo Montoro (Sp0oKeR)

sexta-feira, 16 de julho de 2010

ISSA Day Julho @ Checkpoint


Lembro que o ISSA Day eh um evento gratuito e excelente oportunidade de networking alem de boas palestras

O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Julho 2010.

O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Check Point.

Data: 20 de Julho de 2010


19:00h – Apresentação ISSA Brasil

19:30h – Daniel Bortolazzo (Check Point) – Palestra sobre DLP

20:30h – Coffee Break / Networking

21:00h – Cleber Brandão (BrConnection) / Rodrigo Branco (Check Point) – Palestra sobre Análise e Pesquisas de Malware usando ferramentas Open Source e Desenvolvendo Ferramentas Corporativas


Check Point Software Technologies (Brazil) Ltda.
Rua Samuel Morse, 120 – Itaim Bibi
04576-060 – São Paulo, SP Brazil

Quem se interessar tem que se inscrever: http://www.issabrasil.org/2010/07/16/issa-day-julho-2010/

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

quarta-feira, 7 de julho de 2010

Intrusion Prevention Summit (Online) – July 8, 2010

Meio de ultima hora mas recebi isso no linkedin e achei bem interessante pois alem de ser free tambem sera online (em ingles).

I have included below links to a free online summit on Intrusion Prevention that takes place on July 8. At this summit, leading experts will look at the emerging threat landscape and provide tips to ensure your security management program can best overcome these new challenges in intrusion prevention. It will also cover key aspects in detecting, patching and immunizing your network to prevent repeated attacks from occurring. Hear leading industry experts from TechTarget, Vodafone, SecureWorks, ISACA, Fortinet and more as they discuss the latest innovations, best practices, barriers to implementation and measurable benefits of intrusion prevention.

Register here: http://www.brighttalk.com/r/svf

Intrusion Prevention Summit Presentations Include:

“When Prevention Fails: The Role of IPS in Incident Response”
C. Matthew Curtin, Founder, Interhack

“Threat Prevention for 2010 and Beyond”
Jason Clark, SE Manager, US Channels, Fortinet

“Network Intrusion Prevention vs. Anomaly Detection
Mike Fratto, Editor, Network Computing

“Top Risks Associated with Implementing IPS”
Marco Ermini, Network Security Manager, Vodafone Group Services

“The Digital Disaster – Dealing with Computer Incidents”
Jan Collie, Manager Director & Principal Investigator, The Digital Detective Ltd.

“Why “Human Intelligence” is Critical to Effective IPS
Paul Pearston, Security Solutions Architect, SecureWorks

“Intrusion Prevention, Are We Joking?
Mark Henshaw, Director, ISACA London & Chairman, ISACA Winchester

“What’s the Future for Intrusion Prevention? Key 2011 Trends”
Ron Condon, UK Bureau Chief, TechTarget

Register here: http://www.brighttalk.com/r/svf

Posted By Holger Schulze

Happy Detection!

Rodrigo Montoro(Sp0oKeR

segunda-feira, 14 de junho de 2010

Nova turma - Treinamento Snort Basico - 07/08/2010

Primeiramente agradecer a todos (15 participantes) da turma do dia 12 de Junho do treinamento Snort Maos na Massa com a Temporeal Eventos.

Abaixo alguns depoimentos que recebemos


"Muito bom, atendeu minhas expectativas. Recomendo a todos!"
Thiago D. Magnani

"Como primeiro contato com a ferramenta, gostei muito. O Snort Tutorial Mão na Massa antendeu minhas expectativas. Recomendo!."
Marcelo Solha

"O treinamento superou minhas expectativas".
André Gustavo Miura

"Os professores do treinamento são muito bons; são excelentes".
Leonardo Silva

Dando continuadade ao treinamento realizaremos a proxima turma no dia 7 de agosto de 2010.

Para se inscrever: http://www.temporealeventos.com.br/?area=87

Happy Snorting!

Rodrigo Montoro(Sp0oKeR)

terça-feira, 8 de junho de 2010

OWASP AppSec Brasil 2010 - Chamada de mini-cursos



O OWASP (Open Web Application Security Project) solicita propostas de apresentações para a conferência AppSec Brasil 2010, que ocorrerá na Fundação CPqD em Campinas, SP, de 16 a 19 de novembro de 2010. Haverá mini-cursos nos dias 16 e 17, seguidos de sessões plenárias de trilha única nos dias 18 e 19 de novembro de 2010.

Buscamos pessoas e organizações que queiram ministrar mini-cursos sobre segurança de aplicações. Destacamos os seguintes tópicos de interesse:

- Modelagem de ameaças em aplicações (Application Threat Modeling)
- Riscos de Negócio em Segurança de aplicações (Business Risks with
Application Security)
- Aplicações de Revisões de Código (Hands-on Source Code Review)
- Métricas Aplicadas a Segurança de Aplicações (Metrics for
Application Security)
- Ferramentas e Projetos do OWASP (OWASP Tools and Projects)
- Tópicos de Privacidade em Aplicações e Armazenamento de Dados (Privacy Concerns with Applications and Data Storage)
- Práticas de Programação Segura (Secure Coding Practices)
- Programas de Segurança para todo o Ciclo de Vida de aplicações (Secure Development Lifecycle Programs)
- Tópicos de Segurança para tecnologias específicas (AJAX, XML,Flash, etc) (Technology specific presentations on security such as AJAX, XML, etc)
- Controles de Segurança para aplicações Web (Web Application Security countermeasures)
- Testes de Segurança de aplicações Web (Web Application Security Testing)
- Segurança de Web Services ou XML (Web Services, XML and Application Security)

A lista de tópicos não é exaustiva; outros tópicos podem ser abordados, desde que em consonância com o tema central do evento.

Para submeter uma proposta, preencha o formulário disponível em
que deve ser enviado por email para organizacao2010@appsecbrasil.org.

Cada mini-curso poderá ter 1 ou 2 dias (8 horas por dia) de duração e deverão estar em conformidade com as regras definidas pelo OWASP em seu "Speaker Agreement". A conferência pagará aos instrutores pelo menos 30% do fatuamente de seus mini-cursos. Cursos que consigam atrair mais que o número mínimo de alunos poderão receber percentagens
maiores (mais detalhes abaixo). Não haverá qualquer outro tipo de remuneração (passagens, hospedagem, etc) para os apresentadores ou autores dos mini-cursos. Caso seja necessário um arranjo diferente, favor entrar em contacto com o comitê organizador pelo email abaixo.

Os instrutores e autores dos cursos serão remunerados conforme a quantidade de alunos. Se o curso atrair apenas o número mínimo de alunos, a remuneração será 30% do faturamento. Para cada 10 alunos a mais, a remuneração será acrescida de 5% do faturamento, até um máximo
de 45% do faturamento do curso. Por exemplo, para um curso de 1 dia para uma turma de 10 a 19 alunos, os instrutores e autores receberão 30% do faturamento do curso. Para turmas entre 20 e 29 alunos, a remuneração sobe para 35% do faturamento e assim sucessivamente.

Em casos excepcionais, poderá ser acordado um esquema diferente para remuneração dos instrutores. Possíveis interessados devem entrar em contacto com a comissão organizadora pelo email organizacao2010@appsecbrasil.org

**Valores das inscrições**
Cursos de 1 dia: R$ 450 por aluno
Cursos de 2 días: R$ 900 por aluno

**Mínimo de alunos**
10 alunos para cursos de 1 dia
20 alunos para cursos de 2 dias

**Datas importantes:**
A data limite para apresentação de propostas é 26 de julho de 2010 às 23:59, horário de Brasília.
A notificação de aceitação ocorrerá até o dia 16 de agosto de 2010.
A versão final do material dos mini-cursos deverá ser enviada até o dia 15 de setembro de 2010.

A comissão organizadora da conferência pode ser contactada pelo e-mail: organizacao2010@appsecbrasil.org

Para mais informações, favor consultar as seguintes páginas:

Página da conferência:http://www.owasp.org/index.php/AppSec_Brasil_2010_(pt-br)

OWASP Speaker Agreement (em inglês):http://www.owasp.org/index.php/Speaker_Agreement

Página do OWASP: http://www.owasp.org

Página da conferência no Easychair: http://www.easychair.org/conferences/?conf=appsecbr2010

Formulário para apresentação de propostas: http://www.owasp.org/images/4/43/OWASP_AppSec_Brasil_2010_CFT%28pt-br%29.rtf.zip

********* ATENÇÃO: Não serão aceitas propostas sem TODAS as informações solicitadas no formulário *********

Favor divulgar a todos os possíveis interessados.

segunda-feira, 24 de maio de 2010

Quando uma falha no site do pwnies vira a melhor falha ...

Para quem nao conhece o pwnies award acontece para dar um premio para hypes , falhas toscas entre outros que voce pode ver aqui http://pwnies.com/

Acompanhando timeline no twitter publicaram uma falha de CSRF que no site http://pwnies.com/ no qual ele faz voce votar ("sem saber") pois o site possui a falha.

Basica analise do post que vem com shortnerurl o que induz as pessoas clicarem e elas nem saberam o que aconteceu (menos mal que nao acontece nada malicioso).

A URL em si que vi no twitter http://bit.ly/9PFdhq

Seguindo a mesma chegamos :

-bash-3.00$ telnet bit.ly 80

Connected to bit.ly (
Escape character is '^]'.
HEAD /9PFdhq HTTP/1.1

HTTP/1.1 301 Moved
Server: nginx/0.7.42
Date: Mon, 24 May 2010 20:31:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4bfae224-002e8-00432-aba08fa8;domain=.bit.ly;expires=Sat Nov 20 15:31:32 2010;path=/; HttpOnly
MIME-Version: 1.0
Content-Length: 297

Fazendo o dump do source do lolpwnie.html temos

bash-3.00$ links --source

Resultado/Codigo postado aqui http://pastebin.com/B4fPditn

Ou seja, quando voce abre a URL , voce votara que a melhor falha foi "Pwnies.com CSRF Vulnerability" o que no minimo fica ironico


Ele ja corrigiram a falha, agora quando tenta acessar o CSRF vem a mensagem "Submission failed. Please try later or email your submission to info@pwnies.com"

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

quinta-feira, 6 de maio de 2010

PDF / Javascripts Maliciosos


Estou a procura de pdf maliciosos para analise. Caso tenham recebido algum e possa repassar ficarei bem grato. Pretendo postar alguns resultados das analises .

Exemplos de javascripts maliciosos tambem sao bem vindos.

Happy Research!

Rodrigo Montoro(Sp0oKeR)

quarta-feira, 5 de maio de 2010

SRW - Snort Rules Week estara de volta!


O SRW - Snort Rules Week deu uma parada por falta de tempo mas na proxima semana estara com tudo de volta e possivelmente informacoes baseadas num mundo mais real e nao somente na analise estatica das regras.

Em segundo plano tambem pretendo fazer a versao no formato podcast o que ficaria melhor para discutirmos as tendencias mas essa segunda etapa possivelmente so em Junho.

Fiquem atento e nos acompanhem!

Happy Snorting!

Rodrigo Montoro

quarta-feira, 28 de abril de 2010

(IN)SECURE Magazine issue 25 released

Table of contents
  • The changing face of penetration testing: Evolve or die!
  • Review: SmartSwipe
  • Unusual SQL injection vulnerabilities and how to exploit them
  • Take note of new data notification rules
  • RSA Conference 2010 coverage
  • Corporate monitoring: Addressing security, privacy, and temptation in the workplace
  • Cloud computing and recovery, not just backup
  • EJBCA: Make your own certificate authority
  • Advanced attack detection using OSSIM
Revista digital excelente e gratuita =)

Para baixa-la: http://www.net-security.org/secworld.php?id=9111

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

quinta-feira, 1 de abril de 2010

Podcast Segurança Nacional - [i shot the sheriff] Edição 73 - 31.03.2010

Duração: 1 hora e 15 minutos



Gamesec 2010 CFP - Conference on Decision and Game Theory for Security

PlumberCOn CFP

HITB Dubai Agenda

EC2ND 2010 CFP


Stay Safe – PodCast

Law Enforcement Appliance Subverts SSL

Cisco's Backdoor For Hackers

PCI Council And Passwords: Do As We Say, Not As We Do

U.S. enables Chinese hacking of Google

YSTS Schedule Highlights

Para ouvi-lo: http://www.naopod.com.br

Happy Hacking

Rodrigo Montoro(Sp0oKeR)

terça-feira, 23 de março de 2010

Treinamento OSSEC e Snort Temporeal Eventos


Eu e o Marcos Aurélio ministraremos 2 treinamentos em parceria com a temporeal eventos , serão treinamentos de 1 dia realizados aos sabados :

OSSEC HIDS no dia 17 de Abril

Objetivo: O objetivo do Ossec Tutorial Mão na Massa Tempo Real Eventos é demonstrar como o OSSEC HIDS pode trabalhar para fornecer um grau de segurança apronfundado realizando integração com ativos de TI. Será abordado como a partir de analises de logs podemos obter informações que podem ajudar a prevenir futuros ataques ou interromper ataques em tempo real. Apresentar o que é e como funciona o sistema de detecção de rootkits, checagem de integridade do sistema de arquivos e resposta ativa. Explicação básica sobre utilização de decoders , regras e envio de alertas.

O Tutorial Ossec detalhará os diferentes tipos de instalação, entender os pré-requisitos para uma instalação bem sucedida de um sistema HIDS, como trabalhar com o correlacionamento de eventos dentro do OSSEC, como criar seus próprios correlacionamentos, como obter informações sobre eventos gerados pelo OSSEC através do OSSEC WUI.

Mais informações: http://www.temporealeventos.com.br/?area=175

Snort IDS no dia 08 de Maio de 2010

Objetivo: O Tutorial Mão na Massa Snort tem o objetivo de demonstrar o funcionamento do snort da seguinte maneira: como instalar, como gerenciar através de interface gráfica, como manter o sistema atualizado e como realizar testes periódicos. Será abirdado também o básico sobre escrita de assinaturas.

O Tutorial Snort Mão na Massa contemplará os
ataques mais comuns e como funcionam, de maneira a gerar discussão sobre melhorias de performance, atualizacões e relatórios gráficos de ataques, tendências de problemas com invasão na sua rede, entre outros.

Mais informações: http://www.temporealeventos.com.br/?area=87

Nos vemos por lá =)

Rodrigo Montoro(Sp0oKeR)