Week 34 in Review – 2010

Events Related:

• MalCon, a security event for malware authors
  Spread across the world, malcoders now have a common platform to demonstrate expertise, get a new insight and be a part of the global MALCODER community.
  • MalCon: A Call for ‘Ethical Malcoding’ – krebsonsecurity.com
  • New Conference Wants to Bring Malware Writers Out of the Shadows – threatpost.com

Resources:

• Recon 2010: Intro to Embedded Reverse Engineering for PC reversers – hexblog.com
  I have also uploaded some of the tools I mentioned, most notably various filesystem extractors compiled for Win32.
• Privacy Now TV – absolute.com
  A new web series, Privacy Now TV, has launched to explore topics around “online privacy and security… in a Facebook world.”

Tools:

• DotDotPwn v1.0 – Directory Traversal Checker/Scanning Tool – darknet.org.uk
  A simple PERL tool which detects several Directory Traversal Vulnerabilities on HTTP/FTP Servers.
• WinAppDbg 1.4 is out! – breakingcode.wordpress.com
  The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
• Ostinato 0.2 – code.google.com/p/ostinato/
  Ostinato is an open-source, cross-platform network packet/traffic generator and analyzer with a friendly GUI.
• Better, Faster, Stronger: DLLHijackAuditKit v2 – metasploit.com
  Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript.
• RSMangler Keyword Based Wordlist Generator – randomstorm.com
  The main new feature is permutations mode which takes each word in the list and combines it with the others to produce all possible permutations (not combinations, order matters).
• WinAppDbg – Python Instrumentation Scripting/Debugging Tool For Windows – darknet.org.uk
  The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
• SIP Inspector – sites.google.com/site/sipinspectorsite/
  SIP Inspector is a tool written in JAVA to simulate different SIP messages and scenarios.
• WebAppTools v0.2 – code.google.com/p/webapptools/
  The given complex is intended for inventory and an security estimation of various (heterogeneous) web-applications. The project is developed with usage of WebEngine kernel.
• RainbowCrack 1.5 released – project-rainbowcrack.com
  One big advantage of 64-bit operating systems is that more than 4 GB of memory can be used by application.
• cvechecker – cvechecker.sourceforge.net/
  The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning the installed software and matching the results with the CVE database.

Techniques:

• EasyRMtoMP3 exploit for Vista SP2 – i8jesus.com
  In my likely impossible challenge to ever understand one of Nico Waisman’s talks, I found corelanc0d3r’s site.
• Favorite nmap NSE scripts – attackvector.org
  I’ve written a couple of posts about it and why I find it so useful, but in this post I’m going to cover some of my favorite scripts that come with the most recent Nmap release.
• Bypassing Restrictive Proxies Part 2, Modified Windows Shell via Metasploit PassiveX – grey-corner.blogspot.com
  In the Download and Execute Script Shellcode post, I discussed some of the problems that a restrictive proxy could pose when you were attempting to use it as transport device for your exploitation traffic.
• New Windows Meterpreter Search Functionality – darkoperator.com
  Yesterday Stephen Fewer committed to the development version of Metasploit code for the Windows Version of Meterpreter for searching thru the file system and using the index service of the modern versions of Windows.

Vulnerabilities:

• DLL Exploit  on Windows
  Microsoft acknowledged in an advisory on Monday a type of attack mechanism known as DLL preloading, or binary planting and said that while it is not new it does have a new remote-attack vector.
  • Microsoft Security Advisory (2269637) – microsoft.com
  • Windows DLL bug hits dozens of apps – cnet.com
  • Details Emerge on Severe Windows App FlawsDetails Emerge on Severe Windows App Flaws – threatpost.com
  • More information about the DLL Preloading remote attack vector – technet.com
  • DLL pre-loading attack vector addressed by Microsoft – sophos.com
  • DLL exploit not a job for secure coding programs – erratasec.blogspot.com
  • Some Linux Distros Vulnerable to Version of DLL Hijacking Bug – threatpost.com
  • DLL hijacking vulnerabilities – sans.edu
  • Video Demo of DLL Hijacking Attack. – attackvector.org
  • HD Moore on the Windows DLL Vulnerability – threatpost.com
  • New DLL Hijacking Exploits (many!) – attackvector.org
  • DLL Hijacking (KB 2269637) – the unofficial list – corelan.be
  • DLL Hijacking: Facts and Fiction – threatpost.com
  • Exploiting DLL Hijacking Flaws – metasploit.com
  • Protecting Against the New DLL Attack – paloaltonetworks.com
  • SET v0.6.1 – Metasploit DLL Hijack Demo – secmaniac.com
  • It’s those darned DLLs again… – windowsir.blogspot.com
  • Alternative DLL Hijacking Method – attackvector.org
  • DLL pre-loading research: the pre-release – fortinet.com
  • DLL Hijacking and Why Loading Libraries is Hard – f-secure.com
  • Mozilla Thunderbird DLL Hijacking Exploit – exploit-db.com
  • VLC Media Player DLL Hijacking Exploit – exploit-db.com
  • Microsoft Visio 2003 DLL Hijacking Exploit – exploit-db.com
  • Autorun DLL Hijacker (USB stick) – attackvector.org
  • Exploiting DLL Hijack in the real world – digitalacropolis.us

Other News:

• Anti-virus Products Struggle Against Exploits – krebsonsecurity.com
  Most anti-virus products designed for use in businesses do a poor job of detecting the exploits that hacked and malicious Web sites use to foist malware, a new report concludes.
• Google Advanced Operators And Government Website Leakage – guerilla-ciso.com
  All the “infosec cool kids” have been having a blast this week using a combination of filetype and site operators to look for classification markings in documents.
• The Government’s New Right to Track Your Every Move With GPS – yahoo.com
  Government agents can sneak onto your property in the middle of the night, put a GPS device on the bottom of your car and keep track of everywhere you go.
• Icons of the Web – nmap.org
  A large-scale scan of the top million web sites (per Alexa traffic data) was performed in early 2010 using the Nmap Security Scanner and its scripting engine.
• Thumb Drive Attack in 2008 Compromised Classified U.S. Networks – threatpost.com
  A senior official at the Department of Defense is talking publicly about a 2008 security breach that he claims compromised classified intelligence networks used by the U.S. military.
• Military Computer Attack Confirmed – nytimes.com
  A top Pentagon official has confirmed a previously classified incident that he describes as “the most significant breach of U.S. military computers ever”.
• DiskGenie hacking – adafruit.com
  Great review / write up and hacking of the iStorage DiskGenie (Portable Encrypted Hard Drive with Secure PIN code access)
• Hackers accidentally give Microsoft their code – zdnet.com.au
  When hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.