Saw this on the Arbor networks blog and thought I would post it as a link, excellent analysis of the conficker worm.
Below is the abstract....
Continue reading Analysis of Conficker worm.
I am at Cell phone forensics training this week at DC3 in Linthicum, MD. The class looks really interesting and will be focusing on the operating systems associated with the main PDA devices - Palm, Windows, CE, RIM Blackberry, common cellular handsets, and a basic understanding of SIM cards. In addition, they will be talking about the hybrid versions of these devices for acquisitions and analysis. Should be a fun week....
Dowload dc3dd from HERE and to your /tmp dir or whatever dir you want.
cd /tmp/dc3dd-6.12.2
env CFLAGS=-static
./configure
make clean
make
cd src
ls -la
(You should see a dc3dd file in green along with the object files that were created during the compiling process)
strip dc3dd (this removes the debugging information that was created during the compilation process
file ./dc3dd - just tells you that the exe is statically linked
cd /tmp/dc3dd-6.12.2
env CFLAGS=-static
./configure
make clean
make
cd src
ls -la
(You should see a dc3dd file in green along with the object files that were created during the compiling process)
strip dc3dd (this removes the debugging information that was created during the compilation process
file ./dc3dd - just tells you that the exe is statically linked
Just got to St. Louis, MO a few hours ago ready for the DoD CyberCrime Conference. The talks look to be pretty interesting, we will see how the week goes though. The conference will be held at the St. Louis Renaissance Grand Hotel this week. Tomorrow is the classified briefings at Scott AFB so that should be interesting, supposed to have lunch with my old office-mate Dan, hopefully that will be able to happen.
The new IE exploits for Advisory 961051, now hosted on pornography sites
Two days ago, we blogged about attacks that involve exploits of the recently discovered vulnerability in Internet Explorer. We would like to give you a quick update about these attacks.
Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50% in the number of reports today compared to yesterday.
How are the attackers managing to affect more users now? First, some legitimate web sites were maliciously modified to include the exploits. For example a popular search engine in Taiwan was found to be hosting the exploit. Luckily, that site was quickly cleaned. Secondly, we've noticed some pornography sites have started hosting these exploits too: We recently found a web site in Hong Kong that serves various content including adult entertainment. Users who hoped to watch that content, became target of those attacks: specifically, the exploit dropped trojans that we detect as Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ.
MSRC keeps their advisory updated with possible workarounds. Read carefully, see what applies to you and in the meantime, you should always exercise caution when browsing and try to go to sites that you trust.
-- Ziv Mador & Tareq Saade
Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.
The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.
On Sunday, Orem, Utah-based forensic-software maker Paraben
plans to introduce a unique piece of enterprise software developed to
detect and analyze images on workplace networks and computers for
suspect content. The system looks for a number of sophisticated
parameters and grades images at three levels, based upon their
correlation with criteria that have been programmed into the system.
http://news.cnet.com/8301-1009_3-10084938-83.html?tag=mncol;title
BotHunter is a passive network monitoring tool designed to recognize
the communication patterns of malware-infected computers within your
network perimeter. Using an advanced infection-dialog-based event
correlation engine (patent pending), BotHunter represents the most
in-depth network-based malware infection diagnosis system available
today.
Link to Bothunter software
Link to Bothunter software
Just the other day, CERT announced an OpenSSL vulnerability in the random number generator used by OpenSSL and Debian and Ubuntu systems. According to the vulnerability:
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates. This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.
So for those who are using ubuntu like myself, you might want to update libssl and then
regen those keys/certs. More information can be found here.
I thought I would post a create site that keeps net flow tools up to date - http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html
Some examples of the tools are the following:
Some examples of the tools are the following:
-
- FlowScan
- A Perl-based system to analyze and report on flows collected by
flow-tools, lfapd or cflowd, by Dave Plonka. Sample output graphs are
available too, as well as Majordomo-driven mailing
lists for announcements and general discussion (archive).
It is currently built on Cflow.pm.
User-contributed tools based on FlowScan include:
- CarrierIn from Stanislav Sinyagin
- which claims to be more suitable for larger ISP/Carriers
- CUFlow from Matt Selsky and Johan M. Andersen at Columbia University
- which is an alternative graphing tool "designed to combine the features of CampusIO and SubNetIO". Robert S. Galloway has contributed a nice howto-style document describing how it can be used.
- FlowMonitor from Johan M. Andersen at Columbia University
- monitors individual users' network usage against a bandwidth usage policy.
- JKFlow by Jurgen Kobierczynski
- A new reporting module which is highly configurable using an XML configuration file.
- FlowScan+
- An extension to FlowScan developed by KISTI/KAIST. Adds servlet-based visualization and support for queries for top user, AS, port, protocol, etc. This is supposed to be available under http://flowscan.kreonet2.net/, but that site doesn't seem to be responsive.
- flow-tools
- Similar to cflowd but implemented
as a set of smaller tools, with the addition of compression of the
recorded data, thus capable of recording many more flows in a given
amount of disk space. See paper
about its application for Intrusion Detection. There is also a mailing
list for the package.
There is a short presentation called Ohio Gigapop Traffic Measurements that shows some examples on how flow-tools can be used.
The package is widely used, and there are quite a few user contributions, such as- FlowViewer
- Web-interface to flow-tools. Consists of three tools: FlowViewer provides the user with web access to many of the textual and statistical flow-tools reports. FlowGrapher provides a web page with a graph of the selected flow data. These web pages can be saved. FlowTracker (introduced in FlowViewer 3.0, released in July 2006) allows the user to maintain this information long-term by creating four MRTG-like graphs. Filtered flow data is collected every five minutes and the graphs are updated. FlowTracker requires Tobi Oetiker's RRDtool package. Screenshots are available.
- flow-extract
- which can be used to filter flow-tools-recorded flows through user-specified tests
- a set of "Inter.netPH contribs"
- by Horatio B. Bogbindero
- some patches and a Python module
- by Robin Sommer.
- flow-pairs
- A script that extracts lists of the highest bandwidth consumers by host and by port. Installed at UCB. Seems to have similar uses as the older MATHE system.
- Net::Flow
- Perl module for de- and encoding Netflow (v5/v9) and IPFIX packets.
- jflow
- A set of Java classes for collecting and analyzing NetFlow data. Supports Netflow versions 5 and 6, multithreaded implementation to facilitate real-time traffic accounting and analysis.
- Autofocus
- A traffic analysis and visualization tool that describes the traffic mix of a link through textual reports and time series plots. The underlying research is documented in a SIGCOMM 2003 paper, Automatically Inferring Patterns of Resource Consumption in Network Traffic, C. Estan, S. Savage, G. Varghese (PDF paper, PPT slides).
- Wisconsin Netpy
- Netpy is a network traffic analysis and visualization package developed at University of Wisconsin-Madison. This application is intended for the use of network administrators and it can help understand usage trends in your network as well as support interactive analysis of specific network events of interest. Netpy is distributed under GPL and a BDS-like license. Netpy stores NetFlow records in a local database after applying some sampling to reduce the size of the data. The analysis engine supports interactive analyses on this data where the user chooses the time interval of interest, the filtering rules to apply to the traffic and the type of analysis. The netpy console allows the user to manage the database, and perform analyses interactively or through scripts. The graphical user interface visualizes the results of the analyses accessing the database locally or remotely through a netpy server that is also part of the package.
Took this from another, larger project that I worked on and wrote something small but modular to get me the MD5, SHA1, and SHA256 values for any file I want...nothing novel (and extremely limited) here but more efficient for me and now I can have all my private functions in one customized perl module. Here are the files: filehash.tar.gz.
The package is EncryptTypes::Hash, thus your driver program called getfilehash.pl must be located in the same directory where your EncryptTypes directory sits. Within your EncryptTypes directory, Hash.pm must be located.
Something like:
...
getfilehash.pl
EncryptTypes/
Hash.pm
...
...
...
The package is EncryptTypes::Hash, thus your driver program called getfilehash.pl must be located in the same directory where your EncryptTypes directory sits. Within your EncryptTypes directory, Hash.pm must be located.
Something like:
...
getfilehash.pl
EncryptTypes/
Hash.pm
...
...
...
