terça-feira, 27 de julho de 2010

Snort 2.9.0 Beta Available

Awesome new features coming with snort 2.9.0 . I'll do lot of tests after Blackhat/Defcon .


A beta version of Snort 2.9.0 is now available on snort.org, at
http://www.snort.org/snort-downloads/

Snort 2.9.0 introduces:

  * Feature rich IPS mode including improvements to Stream for
    inline deployments.  Additionally a common active response API is
    used for all packet responses, including those from Stream,
    Respond, or React.  A new response module, respond3, supports the
    syntax of both resp & resp2, including strafing for passive
    deployments.  When Snort is deployed inline, a new preprocessor
    has been added to handle packet normalization to allow Snort
    to interpret a packet the same way as the receiving host.

  * Use of a Data Acquisition API (DAQ) that supports many different
    packet access methods including libpcap, netfilterq, IPFW, and
    afpacket.  For libpcap, version 1.0 or higher is now required.
    The DAQ library can be updated independently from Snort and is
    a separate module that Snort links.  See README.daq for details
    on using Snort and the new DAQ.

  * Updates to HTTP Inspect to extract and log IP addresses from
    X-Forward-For and True-Client-IP header fields when Snort generates
    events on HTTP traffic.

  * A new rule option 'byte_extract' that allows extracted values to
    be used in subsequent rule options for isdataat, byte_test,
    byte_jump, and content distance/within/depth/offset.

  * Updates to SMTP preprocessor to support MIME attachment decoding
    across multiple packets.

  * Ability to "test" drop rules using Inline Test Mode.  Snort will
    indicate a packet would have been dropped in the unified2 or
    console event log if policy mode was set to inline.

  * Two new rule options to support base64 decoding of certain pieces
    of data and inspection of the base64 data via subsequent rule
    options.

  * Updates to the Snort packet decoders for IPv6 for improvements to
    anomaly detection.

  * Added a new pattern matcher that supports Intel's Quick Assist
    Technology for improved performance on supported hardware
    platforms.  Visit http://www.intel.com to find out more about
    Intel Quick Assist.  The following document describes Snort's
    integration with the Quick Assist Technology
http://download.intel.com/embedded/applications/networksecurity/324029.pdf

  * Reference applications for reading unified2 output that handle
    all unified2 record formats used by Snort.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Happy Snorting!
The Snort Release Team

sexta-feira, 23 de julho de 2010

Updates/New Features at ViCheck and VirusTotal

This week those nice online tools made great enhancements specially ViCheck

From ViCheck Blog:

Report page enhancements and Email Report 

For recently processed documents such as PDF or MS Office (engine >=193) we are now highlighting more information about the embedded executable such as the encryption/cipher method and information about the key.


To read and see samples about those:


http://vicheck.blogspot.com/2010/07/email-report-enhancements.html
http://vicheck.blogspot.com/2010/07/report-page-enhancements.html


From Virus Total Blog:

They added new engine from SUPERAntiSpyware ( http://www.superantispyware.com/ ) what I help to improve the AV detection rates. Hope it's something not too static only . I really never heard about this engine before .

To read about this: http://blog.hispasec.com/virustotal/49

 Happy Hacking!


Rodrigo Montoro (Sp0oKeR)

quinta-feira, 22 de julho de 2010

Blackhat / Defcon Las Vegas (english)

Guys,

This week I'm going to Vegas cause 3 reasons (not in particular order) :

1-) I'm invited to be staff at Blackhat. I'll be Speaker Proctor and I'm very excited with that since I will be in touch with awesome security guys and specially I'll have a Staff T-shirt with my nickname (that's too nerds I know but I love conferences tshirts).

2-) Defcon as always good talks and 10% of Blackhat's price what make it perfect to go .

3-) Spiderlabs Summer Meeting  where all my spiderlabs team will meet there, discuss projects, futures , keep in touch in person since we are world spread.

Sites:

http://www.blackhat.com
http://www.defcon.org
http://www.trustwave.com/spiderlabs

If you are going to Vegas ping me and let's talk and have some beers.

Beside me lot of brazilian will be there too as Thiago Bordini, Clebeer , Bruno (mphx2) , Luiz Eduardo (le) , Willian Caprino (Billy) , Cristiane Baffa, Wendel , Rodrigo Rubira  (bsdaemon) , Fernando Amatte and others .

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

Blackhat / Defcon Las Vegas (pt_BR)

Caros,
Essa semana estou indo para Las Vegas por 3 motivos:

1-) Fui convidado para ser Staff na Blackhat, estou muito feliz com isso e quem sabe nao abro porta para outros brasilieiros nos anos seguintes . Serei o que chamam de Speaker Proctor e como bom nerds o que estou mega empolgado sera com a camiseta de staff com meu nick la

2-) Defcon como sempre o melhor custo beneficio de eventos visto que custa 10% da Blackhat

3-) Spiderlabs Summer Meeting ou seja, reuniao de todo o time do Spiderlabs no mundo que acontece em conjunto com as duas conferencias, combinacao perfeita de datas .

Sites:

http://www.blackhat.com
http://www.defcon.org
http://www.trustwave.com/spiderlabs




Se for para la entre em contato para papearmos e tomarmos uma cerveja .

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

terça-feira, 20 de julho de 2010

Not Malicious PDF - Which online tool should we trust ?

Guys,

Since people trust this blog and what I write here I always try my best. Unfortunatly sometimes we make some mistakes. My last post was about 0/43 malicious PDF not being detect by any Antivirus , since the begin I was in doubt about if it was malicious or not so I tested against some webtools as you read at my last post http://spookerlabs.blogspot.com/2010/07/malicious-pdf-not-detected-by-any.html

When I got 0/43 and analyzing the PDF structure with Didier Stevens tools I can say that the score was 1 x 1 since VirusTotal considered normal and pdfid pointed to something not common .

One point that I listed in the other post was the JSunpack Detection that just trys to find the word getAnnots (since it's not common used) . Another point that I was looking and not feel confortable was about JoeDoc results that told the PDF was exploitable at 9.2 version and CVE-2009-1492 just affects until 9.1 version

From : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492

"The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. "

Based on that the real results about the tools and this analysis :

JSunpack - Failed

$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V

[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected 


rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}



www.vicheck.ca - Failed

Date: 2010-07-15 18:59:54
Web submission from 187.105.222.250.

c0610pall_MPA_Kit.re.pdf:


EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)


REPORT:
https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb

Confidence ranking: 75 (2 hits).


External hash searches:

VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New

PDF Structure - "Failed" but I can say that I analyzed lot of samples and this isn't a common file format for normal PDF

1 Page file
/Javascript e /JS options
/EmbeddedFiles

Virustotal - OK - http://www.virustotal.com

JoeDoc - Failed - http://www.joedoc.org

Joedoc (Beta) has detected the the following results:

Runtime detections:

- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5

This sample is that kind of sample that have everything to be malicious but it's not. To make sure I installed a VM and opened this file (Adobe 8 version) and a new sample  that reported as the same that @2gg shared again that make feel confortable to say that it's a False Positive .

Sorry about that but I'll always try my best and I'll triple check next time since double check failed! Anyway in my opinion is better a False Positive with this uncommon file that you can handle that a False Negative with something much similar and malicious for real .

Keep reading since we will have lot of good stuff about our research in the future and for sure with few False Positives and Negatives as any malware detection tool .

Regards ,

Rodrigo Montoro (Sp0oKeR)

segunda-feira, 19 de julho de 2010

Malicious PDF not detected by any antivirus signature (Updated/Incorrect)

Please read the new post explaining what this post was wrong

http://spookerlabs.blogspot.com/2010/07/not-malicious-pdf-which-online-tool.html

Regards,

Today I got something curious in my PDF analysis:


@2gg a friend from twitter sent me some samples and 3 of them I tried to run against VirusTotal to make sure my research isn't generating False Positives(FP). For my surprise I uploaded a file to there and I got the detection Results: 0/43 .


File name:
c0610pall_MPA_Kit.re.pdf
Submission date:
2010-07-15 15:42:59 (UTC)
Current status:

Result:
0/ 43 (0.0%)


Our Research result was:


/LABS/pdf-basics$ perl pdf-analisys.pl -f c0610pall_MPA_Kit.re.pdf


c0610pall_MPA_Kit.re.pdf Malicious PDF Detected


That means that my script was generating a FP but based on analysis using Didier Stevens tools I was thinking that Antivirus failed totally against this sample.


So I ran the PDF against jsunpack-n to have a third test and I got:


$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V

[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected

info: [decodingLevel=0] JavaScript in PDF 1298 bytes, with 1329 bytes headers
info: [decodingLevel=1] found JavaScript
info: file: saved /LABS/pdf-basics/samples/twitter2/c0610pall_MPA_Kit.re.pdf.maybe.vir to (./files/original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181)
file: decoding_438f8880e0e100142aae652071590ba9ea2c572a: 2627 bytes
file: original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181: 1406792 bytes



Talking to Mila from http://contagiodump.blogspot.com she pointed me to jsunpack result online http://jsunpack.jeek.org/dec/go?report=763c8312212dc379e18facb9d96815af36eb79ba .


Another things that pointed me that it a malicious file and I needed to figured out how to comprove was based on pdfid output :


PDFiD 0.0.11 c0610pall_MPA_Kit.re.pdf
PDF Header: %PDF-1.7
obj 60
endobj 60
stream 21
endstream 22
xref 2
trailer 2
startxref 2
/Page 1
/Encrypt 0
/ObjStm 2
/JS 1 /JavaScript 2
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/URI 2
/EmbeddedFile 0
/EmbeddedFiles 1
/cmd 0
/Action 0
/Launch 0
/Colors > 2^24 0


Based on that I started to test more in deep to try to make sure about this 0/43 result isn't a false negative or my research was generating a false positive


Analyzing JSunpack detection code I found


rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}


That means that those alert didn't really mean that something is trying to exploit the flaw since getAnnots is a feature (not widely or common used) at PDF .


So @snowfl0w from http://contagiodump.blogspot.com pointed me to a very nice check website called https://www.vicheck.ca where I sent the sample and got the follow results:


=============================================


Thank you for your recent submission to vicheck.ca.


Date: 2010-07-15 18:59:54
Web submission from 187.105.222.250.


c0610pall_MPA_Kit.re.pdf:


EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)


REPORT: https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb


Confidence ranking: 75 (2 hits).


External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New


=============================================


As last test I sent it to joedoc.org and I got good results too


Joedoc (Beta) has detected the the following results:


Runtime detections:


- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5




Special thanks for @2gg and @snowfl0w


** About Virus Total it basically runs the sample against signatures and some AV protections have some behavior analysis among other tests that weren't realized against this sample.


Regards,


Rodrigo Montoro (Sp0oKeR)

sexta-feira, 16 de julho de 2010

ISSA Day Julho @ Checkpoint

Caros,

Lembro que o ISSA Day eh um evento gratuito e excelente oportunidade de networking alem de boas palestras

O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Julho 2010.

O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Check Point.

Data: 20 de Julho de 2010


Agenda:

19:00h – Apresentação ISSA Brasil

19:30h – Daniel Bortolazzo (Check Point) – Palestra sobre DLP

20:30h – Coffee Break / Networking

21:00h – Cleber Brandão (BrConnection) / Rodrigo Branco (Check Point) – Palestra sobre Análise e Pesquisas de Malware usando ferramentas Open Source e Desenvolvendo Ferramentas Corporativas


Local:

Check Point Software Technologies (Brazil) Ltda.
Rua Samuel Morse, 120 – Itaim Bibi
04576-060 – São Paulo, SP Brazil

Quem se interessar tem que se inscrever: http://www.issabrasil.org/2010/07/16/issa-day-julho-2010/

Happy Hacking!

Rodrigo Montoro(Sp0oKeR)

quarta-feira, 7 de julho de 2010

Intrusion Prevention Summit (Online) – July 8, 2010

Meio de ultima hora mas recebi isso no linkedin e achei bem interessante pois alem de ser free tambem sera online (em ingles).

I have included below links to a free online summit on Intrusion Prevention that takes place on July 8. At this summit, leading experts will look at the emerging threat landscape and provide tips to ensure your security management program can best overcome these new challenges in intrusion prevention. It will also cover key aspects in detecting, patching and immunizing your network to prevent repeated attacks from occurring. Hear leading industry experts from TechTarget, Vodafone, SecureWorks, ISACA, Fortinet and more as they discuss the latest innovations, best practices, barriers to implementation and measurable benefits of intrusion prevention.

Register here: http://www.brighttalk.com/r/svf

Intrusion Prevention Summit Presentations Include:

“When Prevention Fails: The Role of IPS in Incident Response”
C. Matthew Curtin, Founder, Interhack

“Threat Prevention for 2010 and Beyond”
Jason Clark, SE Manager, US Channels, Fortinet

“Network Intrusion Prevention vs. Anomaly Detection
Mike Fratto, Editor, Network Computing

“Top Risks Associated with Implementing IPS”
Marco Ermini, Network Security Manager, Vodafone Group Services

“The Digital Disaster – Dealing with Computer Incidents”
Jan Collie, Manager Director & Principal Investigator, The Digital Detective Ltd.

“Why “Human Intelligence” is Critical to Effective IPS
Paul Pearston, Security Solutions Architect, SecureWorks

“Intrusion Prevention, Are We Joking?
Mark Henshaw, Director, ISACA London & Chairman, ISACA Winchester

“What’s the Future for Intrusion Prevention? Key 2011 Trends”
Ron Condon, UK Bureau Chief, TechTarget

Register here: http://www.brighttalk.com/r/svf

Posted By Holger Schulze

Happy Detection!

Rodrigo Montoro(Sp0oKeR