Skip to content

Categories:

March 2010 Patch Tuesday Security Briefing

This month’s Patch Tuesday release from Microsoft is particularly light this month, and includes two bulletins that are rated important with an aggregate Exploitability Index rating of “1” which should be addressed as soon as possible. From an impact perspective, both bulletins may require a restart, and may have an impact on operations: one in Microsoft Office and one in Microsoft Windows. To view a full description of the Microsoft bulletin as well as other vendor patches, click here.

Posted in Security. Tagged with , , , , , , , .

A day of IDS (Snort) event data

Posted in Security. Tagged with .

Moving Again (Visible Risk)

So I think this is the last time I’ll ask you to move with me….  I hope it is anyway….

As of last week I’ve started a new venture.  My company is named “Visible Risk”.  Visible Risk other than being a great name for a company, is my effort to help push information security forward over the next few years.  I’ll be working with certain organizations on integrating intelligence and security operations, and a huge area of focus for me will be providing “live” use-case based content for security products (like SIEM).

Additionally, I’m starting a new podcast and video/webcast under the Visible Risk brand over the next few weeks so please be on the look out for that as I’d love to involve you in it!

Visible Risk Blog RSS Feed:  http://www.visiblerisk.com/blog/rss.xml

Thank you again to everyone who has helped me over the years to better understand my strengths and weaknesses and for always pushing me forward!

If you’re not already following my new blog here are links to some of my recent postings:

1.  A primer on starting a new company:  http://www.visiblerisk.com/blog/2010/3/10/so-you-want-to-work-for-yourself.html  or   http://bit.ly/aX7WWB

2.  RSA Recap - Round 1: http://www.visiblerisk.com/blog/2010/3/10/rsa-conference-2010-recap-round-1.html  or http://bit.ly/aPA63z

Thank You,
Rocky

Posted in Security. Tagged with .

HM Revenue & Customs Refund Portal - Ten Phish in One

This morning I was reading a report from Kenneth Paschal, a member of the UAB Phishing Operations research team, that contained an interesting group of new phishing sites. The campaign advertises an “HM Revenue & Customs” page called the “Tax Refund Portal”, which looks like this:

Each of the icons takes the visitor to a very professional looking phishing site to have the credentials for that bank stolen. The banks currently making up the pool including:

Barclays
Lloyds TSB
Halifax
Abbey
HSBC
Cahoot
Royal Bank of Scotland
Egg Bank
NatWest
Alliance & Leicester

In most cases the URL advertised in the phishing email actually is a forwarder to another location. For instance, the most recent phish from today forwarded to this site to show the actual content:

hxxp://daegups.com/bbs/data/bbs2/folder/folder/New Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/index.htm

We had previously seen seventeen such phishing sites, in July and August of 2009, but the front has been quiet until March 1st. A quick peek into the UAB PhishURLs database shows that we’re seeing an escalated number of these sites being created.

2010-03-01 | http://www.tvlinko.com/refundportal.htm
2010-03-02 | http://www.tvlinko.com/hmrc/refundportal.htm
2010-03-03 | http://romeningh.dz/img/glyph/hmrc/refundportal.htm
2010-03-03 | http://www.michaelmucklow.com/wp-content/hmrc/refundportal.htm
2010-03-04 | http://www.urbanecology.org/szjtd/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/me/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/ms/hmrc/hmrc/refundportal.htm
2010-03-04 | http://www.ardeola.org/lib/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/all/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.bloomingdaledc.org/joomla/cache/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/file/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/image/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/pro/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.planet-promo.de/roxx/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://mojwlasnydom.com/gallery/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/lingerie/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/Jewellery/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.examsheets.net/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.cz.etechsol.pk/cp/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/fotos/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/downloads/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/libs/hmrc/hmrc/refundportal.htm
2010-03-08 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/templates/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/myimages/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_private/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/images/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_vti_bin/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/banners/hmrc/refundportal.htm
2010-03-10 | http://www.restoretherepublic.com/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/cgi-bin/hmrc/refundportal.htm

The UAB Spam Data Mine had samples in our March 6th spam at 12:30 AM, 1:30 AM, 4:30 AM and 5:45 AM spam collections for “planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm”. After that site was terminated, the bad guys relaunched in our 12:15 PM spam collection with “www.examsheets.net/images/hmrc/hmrc/refundportal.htm”.

Just looking at a few of those emails as an example, here is what the spam body looks like:

After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 988.50 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.

Click Here to submit your tax refund request

Note : A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline.

Best Regards

HM Revenue & Customs

We’ll continue to watch for emerging patterns like this one, and share with you what we find. For now, be wary of this “Tax Refund Portal”!

Posted in Security.

Log review Checklist for Security Incidents

Anton Chuvakin, a well-known security expert and consultant in the field of log management and PCI DSS compliance and author of many books, and Lenny Zeltser, leader of the security consulting team at Savvis and senior faculty member at SANS, have created a “Critical Log Review Checklist for Security Incidents”.

“The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review,” says Chuvakin on his popular blog, where the checklist can be downloaded in HTML, PDF or DOC format.

Share/Bookmark

Posted in Security. Tagged with , , , .

Monoprice.com Shuttered After Fraud Complaints

Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information.

Check out the article – [KrebsonSecurity]

Share/Bookmark

Posted in Security. Tagged with , .

SDL的故事: IE8和Office 2007

Microsoft今天发了两个文章, 以IE8和Office2007的实例讲述SDL的故事:

How the Security Development Lifecycle Helped Improve the Security of the 2007 Microsoft Office System

Internet Explorer 8 and the Security Development Lifecycle (SDL)

阅读全文


类别:Sdl 查看评论

Posted in Security. Tagged with .

NoVA Hackers Dinner Wrap-Up

Last night I attended the NoVA Hackers Association monthly dinner meetup. Instead of having one or two longer talks, this meeting had four shortened 15 minute presentations … often called fireside talks Firetalks. The talks were great and there was plenty of time to catch up with some of the local infosec pros. Approximately 15 people attended the event hosted at ICS International’s corporate headquarters in Fairfax, VA.

After a bit of networking, @elwing started off giving an overview of CACert. This is an open source-styled certificate authority (CA) where your assurance is vouched for through points given by assuruers who check identification documents. There is a basic level certificate you can get with no points similar to the old Thawte-style certificates. Each assurer can give up to 35 points and with 150 points you can also apply to become an assurer. CACert’s root certificate is already present by default in several Linux OSs and the group is working on Firefox and Safari. Getting its root certificate into IE may be a bit harder due to the processing costs of approximately $150,000. They are also looking for volunteers to help out in different roles, e.g., policy writing, developing website workflows, and obtaining placement by default in browsers. Contact @elwing if you’re interested in helping out or what to be assured.

Next, Rob “@mubix” Fuller presented on his frustrations of completeness in doing pen tests and offered some interesting solutions via DNS foo in his talk titled “IP Contra.” Unfortunately, I (or anyone else at the meeting) can’t talk about the details as we had to sign a NDA before he presented. :) But what I can say is that DNS is not geographic!

We all have done a lot of NMAP scans at some point and have been overwhelmed in trying to make sense of all the data you collect over time. Enter Chris “@carnal0wnage” Gates and his talk “Nmap XML Ruby Stuff.” The general idea was a way to push the XML scan results into a database that can be searched. Back in January he started piecing things together and posted some of his initial ideas and code. Since then he’s experimented with several frameworks but ended up just writing his own Ruby implementation. The end result was a fairly complete database for NMAP results with command line searching. Chris continues to evolve his implementation and is looking for help. He’s especially looking for anyone with GUI development experience to write a frontend. Contact @carnal0wnage if you’d like to help or want to try his updated implementation.

Finally, Terrence “@kingtuna” Gareau pulled in a little late but presented and demoed a USB attack on a fully patched Windows computer. He created a Metaspoit module that returns a shell to an attacker by simply inserting a USB drive into a victim computer. Although this is not new, the demo was against a fully patched Windows box. The trick was to add the attack code on the USB drive so it looks like a CD. By default, Windows still autoplays CDs! Enterprises can help protect against this attack by configuring their policy to not autoplay ANY media.

Anyway, that was it for the official talks. There were plenty of great side conversations or “round table talks” (RTTs) as well. NovaHackers may even incorporate this RTT idea into future meetings. Thanks to Lucus and Jonathan of ICS International for setting the facility up, providing refreshments, and organizing dinner. And for future events, check out the NoVA Hackers Association blog. Also, we setup up the @novahackers Twitter account that pushes out tweets whenever Rob and Chris put out new blog posts. This is another great way to keep up with what’s going on with this group.

///

There are a lot of other infosec events going on around DC. If you are the sponsoring group or attended one of these meetups or conferences and would like to submit a summary to be posted on this site, please send us a message from our Contact Us page or mention @grecs on Twitter. See ya!

Posted in Security. Tagged with , , , , , .

Cryptanalysis of the Sasfis Registry Key

Recently I’ve been working on an analysis of Sasfis botnet communications. During the tests I noticed that when the bot installs itself, it adds a registry key named “idid”, with some random looking data in it. The data was added under the name “url0″, so it seemed like it must be an encrypted URL. Here is an example from one of the bot variants:

Key Name:          HKEY_CLASSES_ROOT\idid

Name:            url0

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17

00000010   1a 80 78 cc  d6 bb c4 55  73 b5 07 77  a4 81 3a 71

00000020   a4 98 ba d8  2c 85 17 ad  ce c0 b1 a5  9f c8 07 0b

But what URL could this be, if it is one? Most of these bytes are not in the normal text range, so it would have to be encrypted. Even when there was no network connection, the url0 data was added, so I knew it must be hard coded into the bot. From the tests I had been doing, I also knew that the bot contained a hard coded URL for its Command and Control server. So it seemed possible that the C&C URL was encrypted here, but of course I would have to prove that.

The first 16 bytes of the url0 values, from six bot tests, with their test identifiers (T3, M2 etc.), are listed below. The list is sorted by the opening bytes. They fall into two groups where the first seven bytes are identical. The T2 data is slightly different from the ones below it, but the one different byte (f1) could be the result of an encryption error.

T3   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17

M2   1e 9b 6d d8  89 e6 c4 5f  60 ff 12 7b  bd ea f3 4c



T2   f1 9b 20 62  fc 48 d0 3e  27 fc 1d f7  94 5a ff 3f

T1   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

M1   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

M5   f8 9b 20 62  fc 48 d0 2b  2a fd 17 e2  87 46 ea 7e

Looking at this, it seems fairly likely that each group was encrypted with the same key. And if these are URLs, the seven common bytes at the beginning of each line could be “http://”, if we are on the right track.

The obvious move at this point is to test this theory. We can start with the first row of hex data from the T3 and M2 tests, recover the key for T3 using the hard coded URL for that variant, then find out if the key is correct by decrypting M2 with it. The worksheet below shows the hard coded URL and the url0 registry data for T3 in the first two lines. At the bottom is the URL in text format and in the plain line are the equivalent hex bytes.

T3 http://gnfdt.cn/loader/bb.php

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17  (encrypted in registry)

key

plain      68 74 74 70  3a 2f 2f 67  6e 66 64 74  2e 63 6e 2f (url in hex format)

text       h  t  t  p   :  /  /  g   n  f  d  t   .  c  n  /   (known hard coded URL)

We will assume that the key was XORed with the plaintext to produce this encryption. That is the most likely case, but if we are wrong it will be necessary to try some other methods. From this basis we will now XOR the encrypted and plain bytes to recover the key.

T3 http://gnfdt.cn/loader/bb.php

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17 (encrypted in registry)

key        76 ef 19 a8  b3 c9 eb 37  11 9b 77 1f  d4 81 9a 38 (recovered key)

plain      68 74 74 70  3a 2f 2f 67  6e 66 64 74  2e 63 6e 2f (url in hex format)

text       h  t  t  p   :  /  /  g   n  f  d  t   .  c  n  /   (known hard coded URL)

Now we have some key bytes, but there is no proof that they are real. To prove that, we can use the key bytes to decrypt M2. The result is below. Part of the URL that is hard coded into the M2 bot has been revealed.

M2 http://hqdedikit.com/mld/bb.php

00000000   1e 9b 6d d8  89 e6 c4 5f  60 ff 12 7b  bd ea f3 4c (encrypted in registry)

key        76 ef 19 a8  b3 c9 eb 37  11 9b 77 1f  d4 81 9a 38 (recovered key)

plain      68 74 74 70  3a 2f 2f 68  71 64 65 64  69 6b 69 74 (decrypted hex)

text       h  t  t  p   :  /  /  h   q  d  e  d   i  k  i  t   (decrypted text)

So our case is proved, the hard coded URL is the one hidden in the registry key. We can easily extend this through the rest of the encrypted data to show the whole URL, and remove any lingering doubt.

But what would we do if each bot variant had its own key? The method above would not work, but there are other ways to approach this problem. One way is to check whether this is a repeating key encryption system. They are very common, and if it is we can make comparisons within one URL, instead of using two as we did above.

Let’s try this method with T3. The simple way is to use the whole URL to find as many key bytes as possible, then look for repetitions.

T3 http://gnfdt.cn/loader/bb.php

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17

key        76 ef 19 a8 b3 c9 eb 37  11 9b 77 1f  d4 81 9a 38

plain      68 74 74 70  3a 2f 2f 67  6e 66 64 74  2e 63 6e 2f

text       h  t  t  p   :  /  /  g   n  f  d  t   .  c  n  /



00000010   1a 80 78 cc  d6 bb c4 55  73 b5 07 77  a4 81 3a 71

key        76 ef 19 a8 b3 c9 eb 37  11 9b 77 1f  d4

plain      6c 6f 61 64  65 72 2f 62  62 2e 70 68  70

text       l  o  a  d   e  r  /  b   b  .  p  h   p

Here we can see that the key starts to repeat at the start of the second row. So the key length is 16 bytes, and again we have proved that the key holds the hard coded URL. Decrypting the next byte at the end provides a little bonus, 0×81 XOR 0×81 = 0×00, the null terminator for the string. Decryption from this point onward exposes bytes that appear to be random.

But now consider another scenario, what would we do if we had no idea what the encrypted URLs were? If we have bots with different URLs using the same key, the problem is not beyond solution. To demonstrate I will use the data from T1 and M1, from the other key group. It turns out, in the end, that only the first two lines of hex are needed for this, so the example below will not show the third line.

First we need to locate the key repetition. We can try “http://” at the start to find the first seven key bytes. With these key bytes we can  decrypt at different locations until some URL-like text appears. The bot code probably processed this as DWORDs, so we will take a shortcut by checking at four byte intervals, and use only four key bytes for each decryption. If this fails we will have to try decrypting at different intervals, possibly even at every byte. The “?” marks below indicate decrypted bytes outside the normal text range, which we would not expect in a URL.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 90 ef 54 12  90 ef 54 12

plain      68 74 74 70  3a 2f 2f     ac 13 43 e3  01 be be 2d

text       h  t  t  p   :  /  /      ?  ?  C  ?   ?  ?  ?  -



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12 90 ef 54 12 90 ef 54 12 90 ef 54 12

plain      63 6e 2f 6d  3a ec 84 2f  b7 51 5c ea  15 d8 10 95

text       c  n  /  m :  ?  ?  /   ?  Q  \  ?   ?  ?  ?  ?

The true decryption appears to be cn/m”, at the start of the second row. None of the others is even close. So it looks like we have found the key repetition and the key length. With this information we can set up our work sheet, with the known key bytes and decryptions they give us filled in. It can be seen below, where the decrypted parts confirm our work so far.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff

plain      68 74 74 70  3a 2f 2f

text       h  t  t  p   :  /  /



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff

plain      63 6e 2f 6d  6c 64 2f

text       c  n  /  m   l  d  /



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff

plain      68 74 74 70  3a 2f 2f

text       h  t  t  p   :  /  /



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff

plain      74 2f 6c 6f  61 64 65

text       t  /  l  o   a  d  e

Now we need to extend the URL text parts to uncover more key bytes. In other words we need to make some good guesses, but because the structure of URLs is well known to us, this should not be too difficult.

Notice that the second text line under T1 starts with “cn/mld/”. This looks like a “.cn” top level domain, so let’s fill in the “.” and apply the key byte we get.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff                           11

plain      68 74 74 70  3a 2f 2f                           2e

text       h  t  t  p   :  /  /                            .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 11

plain      63 6e 2f 6d  6c 64 2f                           96

text       c  n  /  m   l  d  /                            ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff                           11

plain      68 74 74 70  3a 2f 2f                           65

text       h  t  t  p   :  /  /                            e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 11

plain      74 2f 6c 6f  61 64 65                           00

text       t  /  l  o   a  d  e                            \0

Now we have some more decrypted bytes. There is a null at the end of M1, this must be the URL string terminator, and a non-text byte (0×96), but let’s ignore that one for now. It may be junk from beyond the end of the URL string, and we will know soon enough if this was a bad guess. At the end of the first M1 line the text character is an “e”, so that we now have “et/loade”. This looks like it must be “.net/loader”, so next we will fill this in and decrypt some more.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f 34 98 11

plain      68 74 74 70  3a 2f 2f 6d                  65 72 2e

text       h  t  t  p   :  /  /  m e  r .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62                  00 dc 96

text       c  n  /  m   l  d  /  b \0 ? ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f                  34 98 11

plain      68 74 74 70  3a 2f 2f 75                  2e 6e 65

text       h  t  t  p   :  /  /  u .  n e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f 34 98 11

plain      74 2f 6c 6f  61 64 65 72                  68 70 00

text       t  /  l  o   a  d  e  r h  p \0

There is nothing very obvious here, but at the end of the second row of M1 we have “hp\0″. This looks like it could be “.php”, so let’s try that next.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 6d           61  64 65 72 2e

text       h  t  t  p   :  /  /  m            a   d e  r  .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f 90  f5 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62           68  70 00 dc 96

text       c  n  /  m   l  d  /  b            h   p \0 ?  ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 75           69  74 2e 6e 65

text       h  t  t  p   :  /  /  u            i   t .  n  e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f           90  f5 34 98 11

plain      74 2f 6c 6f  61 64 65 72           2e  70 68 70 00

text       t  /  l  o   a  d  e  r            .   p h  p  \0

This looks good, and now we have some good hints. In T1, in the first line, it looks like we have “//m?loader.” and in the second line another “.php” is developing. We can put these in.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f     90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 6d     6c 6f 61  64 65 72 2e

text       h  t  t  p   :  /  /  m      l  o a   d  e  r  .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f 90 78 90  f5 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62     2e 70 68  70 00 dc 96

text       c  n  /  m   l  d  /  b      .  p h   p  \0 ?  ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f 90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 75     6c 69 69  74 2e 6e 65

text       h  t  t  p   :  /  /  u      l  i i   t  .  n  e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f 90 78 90  f5 34 98 11

plain      74 2f 6c 6f  61 64 65 72     62 62 2e  70 68 70 00

text       t  /  l  o   a  d  e  r      b  b .   p  h  p  \0

Now, in the second line of M1, we have “bb.php”, and it looks like this also appears in “mld/b?.php” at second line of T1. With this we can fill in the last missing byte.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f 45 90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 6d  79 6c 6f 61  64 65 72 2e

text       h  t  t  p   :  /  /  m   y l  o  a   d  e  r  .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f  45 90 78 90  f5 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62  62 2e 70 68  70 00 dc 96

text       c  n  /  m   l  d  /  b   b .  p  h   p  \0 ?  ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f 45 90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 75  6b 6c 69 69  74 2e 6e 65

text       h  t  t  p   :  /  /  u   k l  i  i   t  .  n  e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f 45 90 78 90  f5 34 98 11

plain      74 2f 6c 6f  61 64 65 72  2f 62 62 2e  70 68 70 00

text       t  /  l  o   a  d  e  r   / b  b  .   p  h  p  \0

So even if the URLs are unknown, we can still decrypt them if bots with different URLs use the same key. In fact all of the pairs from this group {T1-M1, M1-M5, and T1-M5} can be solved without any really difficult guessing, and using all three makes it much easier. Even when it is not clear what text to fill in next, we can always try different guesses until we find the right one.

Of course the weaknesses in this encryption could have been avoided, or at least reduced. For example, not re-using keys would have helped. What we may be seeing here is evidence that, like many computer users, bot herders don’t take security as seriously as they should.

Posted in Security. Tagged with , , .

The converse of the Nagell-Lutz theorem

The Nagell-Lutz tells us that rational points of finite order have integer coordinates, but it doesn’t tell us that points with integer coordinates have finite order. As a reminder, here’s the statement of the Nagell-Lutz theorem.

Let y2 = x3 + ax + b be an elliptic curve with integer coefficients and let D = 4 a3 + 27 b2. Then if P = (xP,yP) is a rational point of finite order then P has integer coordinates and either yP = 0 or yP2|D.

Here are some examples of points with integer coordinates that don’t have finite order.

The point P = (1,2) is on the elliptic curve

y2 = x3 + 3

but (1,2) isn’t a point of finite order. We have that

2P = (-23/16,-11/64)

for example. Since 2P doesn’t have integer coordinates, it’s not a point of finite order, so P isn’t either.

For another example, consider the elliptic curve

y2 = x3 + 17

There are 16 points with integer coordinates on this curve. These are the following

(-2,±3)

(-1,±4)

(2,±5)

(4,±9)

(8,±23)

(43,±282)

(52,±375)

(5234,±378661)

Although we can find a few cases where adding these points gives another point with integer coordinates, like

(-2,3) + (-1,4) = (4,9)

most cases don’t. We have that

(-1,4) + (-1,4) = (137/64, -2651/512)

for example.

Even worse, we have that

(5234,378661)  + (5234,378661)  = (187618163896928/143384152921, -1/4)

None of these points actually have finite order although they have integer coordinates. So points of finite order have to have integer coordinates, but not all points with integer coordinates have finite order.

Posted in Security. Tagged with , , .

Is your social media message in-tune?

After attending the talk given by Mike Murray at RSA Conference in San Francisco last week on “Tweeting for Dollars: UsingSocial Media to Enhance your Career in Security” I found myself even more intrigued by some people’s message in the social media spectrum. One of the major points that Mike made during his talk was that not only do organizations need to have a social media strategy, but each person who is engaging in social media should think about theirs as well. Regardless of any intent, each person in social media has a brand. It is our responsibility to ensure that this brand is reflective of what we desire it to be. Some brands are easier to spot then others, but what is your brand saying about you?

The best question that someone asked in the presentation was that of a gentleman ‘screwing up’ his twitter account. By his definition of screwing up, it meant that he wasn’t focused on tweeting about his career only, he was tweeting about everything and talking to people. This wasn’t a screw up at all, this gentleman was having a conversation, he was doing social media right! The humanity of social media is what makes it so attractive to readers. People have been using the internet for years to read press releases, and some even use RSS feeds on a daily basis to keep up on those news articles. They don’t need Twitter or Facebook to keep up on that, Social Media let’s us all know that every celebrity, industry pundit, and random people you met at a convention all have something else going on outside of their career, or hobby that they are known for.

As an organization, it is also very important to decide on how the corporate brand is going to be reflected by the employees. Compose a social media policy stating if employees are allowed to share corporate information, or if that is going to be left only to be executed by the corporate social media accounts and team. If employees are allowed to share certain corporate data, it is very important to identify and classify what information is never to be shared in the social media space. The organization is also responsible to educate the employees of these policies to ensure a clear, unified message.

So how would a person or an organization drive their brand while engaging their audience? Have a conversation! Read whatyour followers are doing, and engage them. Sure, throw out important information that is self-serving as well (ie. Blog Post announcement, PR release links, etc.), but also retweet and share other contributors information. Know who you audience is, and get to know them!

Sharing is caring!

Posted in Security. Tagged with , , , , .

Is your social media message in-tune?

After attending the talk given by Mike Murray at RSA Conference in San Francisco last week on “Tweeting for Dollars: UsingSocial Media to Enhance your Career in Security” I found myself even more intrigued by some people’s message in the social media spectrum. One of the major points that Mike made during his talk was that not only do organizations need to have a social media strategy, but each person who is engaging in social media should think about theirs as well. Regardless of any intent, each person in social media has a brand. It is our responsibility to ensure that this brand is reflective of what we desire it to be. Some brands are easier to spot then others, but what is your brand saying about you?

The best question that someone asked in the presentation was that of a gentleman ‘screwing up’ his twitter account. By his definition of screwing up, it meant that he wasn’t focused on tweeting about his career only, he was tweeting about everything and talking to people. This wasn’t a screw up at all, this gentleman was having a conversation, he was doing social media right! The humanity of social media is what makes it so attractive to readers. People have been using the internet for years to read press releases, and some even use RSS feeds on a daily basis to keep up on those news articles. They don’t need Twitter or Facebook to keep up on that, Social Media let’s us all know that every celebrity, industry pundit, and random people you met at a convention all have something else going on outside of their career, or hobby that they are known for.

As an organization, it is also very important to decide on how the corporate brand is going to be reflected by the employees. Compose a social media policy stating if employees are allowed to share corporate information, or if that is going to be left only to be executed by the corporate social media accounts and team. If employees are allowed to share certain corporate data, it is very important to identify and classify what information is never to be shared in the social media space. The organization is also responsible to educate the employees of these policies to ensure a clear, unified message.

So how would a person or an organization drive their brand while engaging their audience? Have a conversation! Read whatyour followers are doing, and engage them. Sure, throw out important information that is self-serving as well (ie. Blog Post announcement, PR release links, etc.), but also retweet and share other contributors information. Know who you audience is, and get to know them!

Sharing is caring!

Posted in Security. Tagged with , , , , .

Daily Anti-Spam Test Results Published by ICSA Labs for Feb 2010

In the market for an anti-spam solution?  Already deploying an anti-spam device but wondering how well it protects you compared to other similar products? ICSA Labs tests anti-spam devices every day of the year.  Following each month we post succinct and free 1-page reports that depict how effective and accurate ICSA Labs certified anti-spam products are. To see the February reports for the ICSA Labs certified anti-spam products, click on each hyperlink:

Of course, you can view and bookmark the ICSA Labs anti-spam certified product list. Please contact the ICSA Labs anti-spam program manager if you have any questions, comments, or suggestions.

Posted in Security. Tagged with , , , , .

Top 8 Ways To Protect Your Home

extern 0000 Top 8 Ways To Protect Your HomeEver stay awake at night wondering if your home, family members and valuables are protected enough? FBI data reports that a place of residence is burglarized every 15 seconds, but the latest security technology can make your home safer than ever before. Sleep easy knowing you and your family is safe by having these top 8 security products that protect you from danger.



 Top 8 Ways To Protect Your Home

Posted in Security. Tagged with , .

Katana: portable multi-boot security suite [Wouter Veugelen]

Katana is a portable multi-boot security suite designed for many of your computer security needs. The idea behind this tool is to bring together all of the best security distributions to run from one USB drive. Katana includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, Malware Removal and more.

Distro’s that are currently included in Katana:

- Backtrack 4
- the Ultimate Boot CD
- Ultimate Boot CD for Windows
- Ophcrack Live
- Puppy Linux
- Kaspersky Live
- Trinity Rescue Kit
- Clonezilla
- Derik’s Boot and Nuke

http://www.hackfromacave.com/katana.html

Posted in Security.