Labgeek's Bl0g

Computer Incident Responders Course (CIRC)

Mon, 06 Jul 2009 20:53:07 -0500

Down at DC3 (dc3.mil) taking the CIRC course for two weeks in Linthicum, MD - ugggg. Class is full of Fort Bragg Army MI peeps who are barely old enough to drink beer. Apparently, after this class we are classified as Certified Digital Media Collector (CDMC), but we all know what certs really mean, nada - but I am not complaining...

Analysis of Conficker worm

Tue, 14 Apr 2009 20:14:18 -0500

Saw this on the Arbor networks blog and thought I would post it as a link, excellent analysis of the conficker worm.

http://mtc.sri.com/Conficker/

Below is the abstract....

Cell phone forensics training at DC3

Sun, 15 Mar 2009 13:57:47 -0500

I am at Cell phone forensics training this week at DC3 in Linthicum, MD. The class looks really interesting and will be focusing on the operating systems associated with the main PDA devices - Palm, Windows, CE, RIM Blackberry, common cellular handsets, and a basic understanding of SIM cards. In addition, they will be talking about the hybrid versions of these devices for acquisitions and analysis. Should be a fun week....

Create statically linked dc3dd for linux

Thu, 12 Feb 2009 21:46:03 -0500

Dowload dc3dd from HERE and to your /tmp dir or whatever dir you want.
cd /tmp/dc3dd-6.12.2
env CFLAGS=-static
./configure
make clean
make
cd src
ls -la
(You should see a dc3dd file in green along with the object files that were created during the compiling process)
strip dc3dd (this removes the debugging information that was created during the compilation process
file ./dc3dd - just tells you that the exe is statically linked

DoD CyberCrime Conference 2009

Sun, 25 Jan 2009 13:19:30 -0500

Just got to St. Louis, MO a few hours ago ready for the DoD CyberCrime Conference. The talks look to be pretty interesting, we will see how the week goes though. The conference will be held at the St. Louis Renaissance Grand Hotel this week. Tomorrow is the classified briefings at Scott AFB so that should be interesting, supposed to have lunch with my old office-mate Dan, hopefully that will be able to happen.

Microsoft® Malware Protection Center : The new IE exploits for Advisory 961051, now hosted on pornography sites

Tue, 16 Dec 2008 19:28:25 -0500

The new IE exploits for Advisory 961051, now hosted on pornography sites

Two days ago, we blogged about attacks that involve exploits of the recently discovered vulnerability in Internet Explorer. We would like to give you a quick update about these attacks.

Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50% in the number of reports today compared to yesterday.

How are the attackers managing to affect more users now? First, some legitimate web sites were maliciously modified to include the exploits. For example a popular search engine in Taiwan was found to be hosting the exploit. Luckily, that site was quickly cleaned. Secondly, we've noticed some pornography sites have started hosting these exploits too: We recently found a web site in Hong Kong that serves various content including adult entertainment. Users who hoped to watch that content, became target of those attacks: specifically, the exploit dropped trojans that we detect as Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ.

MSRC keeps their advisory updated with possible workarounds. Read carefully, see what applies to you and in the meantime, you should always exercise caution when browsing and try to go to sites that you trust.

-- Ziv Mador & Tareq Saade

Forensic tool detects pornography in the workplace | Latest Security News - CNET News

Sun, 09 Nov 2008 17:55:42 -0500

Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.

The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.

On Sunday, Orem, Utah-based forensic-software maker Paraben plans to introduce a unique piece of enterprise software developed to detect and analyze images on workplace networks and computers for suspect content. The system looks for a number of sophisticated parameters and grades images at three levels, based upon their correlation with criteria that have been programmed into the system.

http://news.cnet.com/8301-1009_3-10084938-83.html?tag=mncol;title

BotHunter Software Distribution Page

Sun, 09 Nov 2008 13:41:45 -0500

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter. Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Link to Bothunter software

OpenSSL vulnerability

Wed, 14 May 2008 13:29:26 -0500

Just the other day, CERT announced an OpenSSL vulnerability in the random number generator used by OpenSSL and Debian and Ubuntu systems. According to the vulnerability:

A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems.  As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system.  This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.  This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian.  However, other systems can be
indirectly affected if weak keys are imported into them.

So for those who are using ubuntu like myself, you might want to update libssl and then 
regen those keys/certs.  More information can be found here.

Net Flow tool list

Wed, 14 May 2008 13:25:28 -0500

I thought I would post a create site that keeps net flow tools up to date - http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Some examples of the tools are the following:

FlowScan

A Perl-based system to analyze and report on flows collected by flow-tools, lfapd or cflowd, by Dave Plonka. Sample output graphs are available too, as well as Majordomo-driven mailing lists for announcements and general discussion (archive). It is currently built on Cflow.pm. User-contributed tools based on FlowScan include:

CarrierIn from Stanislav Sinyagin: which claims to be more suitable for larger ISP/Carriers
CUFlow from Matt Selsky and Johan M. Andersen at Columbia University: which is an alternative graphing tool "designed to combine the features of CampusIO and SubNetIO". Robert S. Galloway has contributed a nice howto-style document describing how it can be used.
FlowMonitor from Johan M. Andersen at Columbia University: monitors individual users' network usage against a bandwidth usage policy.
JKFlow by Jurgen Kobierczynski: A new reporting module which is highly configurable using an XML configuration file.
FlowScan+: An extension to FlowScan developed by KISTI/KAIST. Adds servlet-based visualization and support for queries for top user, AS, port, protocol, etc. This is supposed to be available under http://flowscan.kreonet2.net/, but that site doesn't seem to be responsive.

flow-tools

Similar to cflowd but implemented as a set of smaller tools, with the addition of compression of the recorded data, thus capable of recording many more flows in a given amount of disk space. See paper about its application for Intrusion Detection. There is also a mailing list for the package.
There is a short presentation called Ohio Gigapop Traffic Measurements that shows some examples on how flow-tools can be used.
The package is widely used, and there are quite a few user contributions, such as

FlowViewer: Web-interface to flow-tools. Consists of three tools: FlowViewer provides the user with web access to many of the textual and statistical flow-tools reports. FlowGrapher provides a web page with a graph of the selected flow data. These web pages can be saved. FlowTracker (introduced in FlowViewer 3.0, released in July 2006) allows the user to maintain this information long-term by creating four MRTG-like graphs. Filtered flow data is collected every five minutes and the graphs are updated. FlowTracker requires Tobi Oetiker's RRDtool package. Screenshots are available.
flow-extract: which can be used to filter flow-tools-recorded flows through user-specified tests
a set of "Inter.netPH contribs": by Horatio B. Bogbindero
some patches and a Python module: by Robin Sommer.
flow-pairs: A script that extracts lists of the highest bandwidth consumers by host and by port. Installed at UCB. Seems to have similar uses as the older MATHE system.

Net::Flow

Perl module for de- and encoding Netflow (v5/v9) and IPFIX packets.

jflow

A set of Java classes for collecting and analyzing NetFlow data. Supports Netflow versions 5 and 6, multithreaded implementation to facilitate real-time traffic accounting and analysis.

Autofocus

A traffic analysis and visualization tool that describes the traffic mix of a link through textual reports and time series plots. The underlying research is documented in a SIGCOMM 2003 paper, Automatically Inferring Patterns of Resource Consumption in Network Traffic, C. Estan, S. Savage, G. Varghese (PDF paper, PPT slides).

Wisconsin Netpy

Netpy is a network traffic analysis and visualization package developed at University of Wisconsin-Madison. This application is intended for the use of network administrators and it can help understand usage trends in your network as well as support interactive analysis of specific network events of interest. Netpy is distributed under GPL and a BDS-like license. Netpy stores NetFlow records in a local database after applying some sampling to reduce the size of the data. The analysis engine supports interactive analyses on this data where the user chooses the time interval of interest, the filtering rules to apply to the traffic and the type of analysis. The netpy console allows the user to manage the database, and perform analyses interactively or through scripts. The graphical user interface visualizes the results of the analyses accessing the database locally or remotely through a netpy server that is also part of the package.

using Digest::MD5/SHA - OO style

Sun, 04 May 2008 18:07:01 -0500

Took this from another, larger project that I worked on and wrote something small but modular to get me the MD5, SHA1, and SHA256 values for any file I want...nothing novel (and extremely limited) here but more efficient for me and now I can have all my private functions in one customized perl module. Here are the files: filehash.tar.gz.

The package is EncryptTypes::Hash, thus your driver program called getfilehash.pl must be located in the same directory where your EncryptTypes directory sits. Within your EncryptTypes directory, Hash.pm must be located.

Something like:
...
getfilehash.pl
EncryptTypes/
Hash.pm
...
...
...

storm resources and pdfs

Fri, 02 May 2008 13:24:28 -0500

For my documentation, here are some good sites relative to storm and its analysis:

1. http://offensivecomputing.net/
2. http://trustedsource.net/
3. http://asert.arbornetworks.com/
4. http://asert.arbornetworks.com/
5. http://honeyblog.org/
6. http://www.darkreading.com/document.asp?doc_id=151862&f_src=drdaily
7. http://www.usenix.org/events/leet08/tech/full_papers/holz/holz_html/
8. http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt
9. http://noh.ucsd.edu/~bmenrigh/storm_data.tar.bz2
10. http://www.cs.ucsd.edu/~voelker/pubs/stormspam-leet08.pdf
11. http://sudosecure.net/storm.php
12. http://www.eecs.harvard.edu/~mema/courses/cs264/papers/eclipse-infocom06.pdf
13. http://dsd.lbl.gov/Net-Mon/TALKS/SCNM1-17-02.pdf
14. https://opensvn.csie.org/mlnet/trunk/docs/overnet.txt
15. http://www.tml.tkk.fi/Publications/C/25/papers/Nummipuro_final.pdf
16. http://planete.inrialpes.fr/~perito/
17. http://www.offensivecomputing.net/papers/js-StormWorm-3-23-2008.pdf
18. http://mtc.sri.com/
19. http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf
20. http://www.secureworks.com/research/threats/view.html?threat=storm-worm
21. http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx
22. http://spamtrackers.eu/wiki/index.php?title=Storm
23. http://malwaredomains.com/
24. http://www.honeynet.org/papers/ff/fast-flux.html
25. http://spamtrackers.eu/wiki/index.php?title=Fast-flux

- just to name a few....I am sure there have been many more but thought I would list a few I have been to...

whoa, lemme at those spam templates

Wed, 30 Apr 2008 17:16:26 -0500

Captured about an hours worth of pcap traffic and decided to pull out those notorious spam templates being sent to and from my infected bot. Will write a quick parser to pick through based on From, To, subject, User-agent, message-id - all of which are assembled within the spam template and then spoofed out using your infected bot as the spamming engine. Listed below are those spam templates from my infected vm bot, here is just one to give you an idea of what it looks like:
template1.txt

Here are the rest if you are interested in seeing all the data:
spamtemplates.tar.gz

MITRE Honeyclient project - CPAN

Tue, 29 Apr 2008 13:25:46 -0500

I noticed a project I worked on published their code in CPAN located at: http://search.cpan.org/~mitrehc/HoneyClient-Manager-0.99/. To my knowledge the project integrated with Caputre-HPC to handle their real-time integrity check functionality. Additionally, if you want to find our more with the status of the project, you can visit their main site at: http://honeyclient.org/trac. If you are curious and don't know what a honeyclient is, it is " a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner. Specifically, honeyclients can proactively detect exploits against client applications without known signatures.". Some of my work can be found here as well: http://search.cpan.org/src/MITREHC/HoneyClient-Manager-0.99/lib/HoneyClient/Manager/FW.pm
or
http://honeyclient.org/trac/browser/honeyclient/trunk/lib/HoneyClient/Manager/FW.pm

pcaplistener-v0.2.pl

Mon, 28 Apr 2008 21:24:15 -0500

I added some more functionality to my homemade sniffer which now grabs all the outbound DNS packets from my infected bot. The variant I am running I grabbed from sudosecure.net, 681554faf60a96ad2fcebcee4a8e0b53 StormCodec8.exe. Some quick stats, in thirty minutes of sniffing, I grabbed 6781 unique DNS hostnames and 12383 ip address ( unique 6748 unique) going across the wire. Here is a file with the latest printout of IPs => GeoIP lookup:
042808_latest_run.txt

Here is a snippet of what hostnames I found coming from my box once infected, the file lists the hostname => # of ips it resolves to and all the IP addresses:
dnsoutputfile.txt

I have some more data but will put it up later...