Sp0oKeR Labs

Let's make TCP faster (Google researchers)

2012-01-24T17:59:00.003-02:00

Post e pesquisa bem interessante pelo time do google

http://googlecode.blogspot.com/2012/01/lets-make-tcp-faster.html

Abs!

Rodrigo "Sp0oKeR" Montoro

Agenda da Serie Snortando

2012-01-22T23:03:00.000-02:00

Caros,

Essa semana postarei o post inicial da serie e logicamente será com o básico explicando o funcionamento do snort . Abaixo montei a agenda do que pretendo escrever, não necessariamente falarei nessa ordem exata (logicamente algumas coisas tem que ser na ordem) e caso necessário adicionarei artigos, bem como novidades que deverão aparecer no decorrer da serie.

Pretendo atualizar/postar a cada semana ou no máximo 10 dias sendo que alguns posts serão maiores e mais complexos e alguns mais simples.

Agenda:

1-) Introdução Snort
2-) DAQ - Data Aquisition
3-) Entendendo básico do snort.conf
4-) Introdução Decoders
5-) Introdução Pre-Processadores (após a introdução cada pre-processador será um artigo)
6-) Preproc Rules
7-) Stream5
8-) Frag3
9-) Reputation
10-) SMTP
11-) Pop / Imap
12-) FTP/Telnet
13-) SFPortScan
14-) http_inspect
15-) Sensitive Data
16-) Performance (PerfProfiling)
17-) dcerpc2
18-) Razorback
19-) SSL/SSH
20-) Introdução Regras Snort
21-) Básico Criação de Regras
22-) Laboratorio Básico
23-) Tags avançadas
24-) Laboratorio Tags avançadas
25-) Host Attribute Table
26-) IPv6
27-) Posicionamento
28-) Interfaces de Gerenciamento (Snorby / BASE)

Como podemos observar será uma serie longa mas que visa realmente explicar o funcionamento da ferramenta para que possamos tirar o maximo proveito da ferramenta.

Tentarei se possivel fazer webex de alguns assuntos que fiquem muito complexo escrever e tentarei ao maximo sempre criar ferramentas para demonstrar na pratica a importancia da configuracao correta.

Espero que todos acompanhem! Essa semana postarei a introdução!

Happy Snorting!

Rodrigo "Sp0oKeR" Montoro!

[Snort-devel] Snort 2.9.2.1 Now Available

2012-01-19T17:44:00.002-02:00

Snort 2.9.2.1 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.1 includes the following updates and improvements:
* Added new alerts for HTTP (undefined methods & HTTP 0.9 simple
requests).

* Updates to Stream preprocessor in TCP session tracking to avoid
re-queuing retransmitted data that was already flushed. Also
various tweaks for PAF flushing.

* Updates to reputation preprocessor to handle shared memory
switching.

* Updates to the SCADA preprocessors in their handling of PAF
flushing and Modbus request/response length checking. Also tweaks
in alerts for reserved DNP3 functions.

* Updates to flowbit groups to always use the group when some rules
refer to a flow group while others do not refer to a group for the
same flowbit.

* Updates to GTP preprocessor to check invalid extension header
length for GTPv1.

* Updates to sfrt library, used in reputation preprocessor and target
based configuration, when calculating memory allocated and support
for IPv6.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

[Emerging-Sigs] Suricata 1.2 Available!

2012-01-19T16:00:00.000-02:00

The OISF development team is proud to announce Suricata 1.2. This release brings HTTP file inspection and extraction and a whole lot more.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-1.2.tar.gz

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_11_to_Suricata_12

New features

- file name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241)
- new keyword http_server_body, pcre regex /S option
- option to enable/disable core dumping from the suricata.yaml (enabled by default)
- human readable size limit settings in suricata.yaml (bug #333)
- PF_RING bpf support (required PF_RING >= 5.2) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- new IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalised URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- http_header and http_raw_header now also inspect HTTP response headers (#389, #397)

Improvements

- general performance improvements
- improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- improved detection of duplicate signatures
- improved performance in virtual machines (bug #382)
- PCRE-JIT is now enabled by default if available (#356)
- flowbits and flowints are now modified in a post-match action list
- bundled libhtp updated to 0.2.7
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)

Fixes since 1.2rc1

- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues.

See http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.

Happy Detection!

Rodrigo Montoro

Paper interessante Analise Estatica de Malwares (Ingles)

2012-01-19T12:45:00.000-02:00

Paper básico mas bem legal no Exploit-DB "Malware Reverse Engineering part1 of 2. Static analysis"

Table of Contents

1. Scope
2. Investigation goals
3. Malware samples analyzed
4 Malware analysis methodology, software, and secure lab setup .
5. General function and functionality of the malware
6. Behavioral patterns of the malware and local system interaction
7. Files and registry keys created, modified and accessed
8. Network behavior (including hosts, domains and ip’s accessed)
9. Time and local system dependant features
10. Method and means of communication
11. Original infection vector and propogation methodology
12. Use of encryption for storage, delivery and or communication
13. Use of self modifying/replicating or encrypted code
14. Any information concerning development of malware (compiler type, packer used, country of origin, author, names/handles, etc
15. Key questions and answers

Para baixá-lo:

http://www.exploit-db.com/download_pdf/18387

Happy Detection!

Rodrigo Montoro

Serie Snortando - Usando e Entendendo o Snort

2012-01-18T22:00:00.000-02:00

Caros,

Iniciarei uma série que chamarei de "Snortando". Minha idéia aqui é semanalmente fazer um post sobre funcionalidades do snort no geral . Entre os assuntos abordarei bastante coisa de pre-processadores (logicamente 1 pre-processador por post visto que a ideia é explicar para o bom uso) entre outras funções:

dcerpc2
decode
decoder_preproc_rules
dnp3
dns
filters
flowbits
frag3
ftptelnet
gre
GTP
http_inspect
imap
ipip
ipv6
modbus
multipleconfigs
normalize
PerfProfiling
pop
ppm
reload
reputation
rzb_saac
sensitive_data
sfportscan
sip
SMTP
ssh
ssl
stream5

Também postarei sobre criação de regras, explicação snort.conf , dicas de instalação e deploy, ferramentas para testes dos pre-processadores , teste de performance de regras, dicas gerais entre outras coisas/idéias que surgirem durante o ano.

Em paralelo a isso também lançaremos via EaD da Dynsec treinamento de análise de pacotes, snort básico, snort avançado e criação de regras .

Acompanhe a nova serie "Snortando". Caso tenha alguma sugestão entre em contato. Possivelmente junto com o primeiro post tentarei colocar uma mini-agenda .

Quem sabe no final não temos um mini howto em pt_BR =)

Em paralelo continuarei postando sobre Deteção de Intrusos e Malwares no geral também .

Happy Snorting!

Rodrigo "Sp0oKeR" Montoro

CAIS-Alerta: resumo dos Boletins de Segurança Microsoft - Jan/2012

2012-01-12T11:22:00.000-02:00

-----BEGIN PGP SIGNED MESSAGE-----

Prezados,

A Microsoft publicou 7 boletins de segurança em 11 de janeiro que abordam
ao todo 8 vulnerabilidades em produtos da empresa. A exploração destas
vulnerabilidades permitem execução remota de código, desvio de recurso de
segurança, elevação de privilégio e divulgação não autorizada de
informação.

SEVERIDADE

. Crítica

- MS12-004 - Vulnerabilidades no Windows Media podem permitir a execução
remota de código

. Importante

- MS12-001 - Vulnerabilidade no kernel do Windows pode permitir o desvio
do recurso de segurança

- MS12-002 - Vulnerabilidade no Windows Object Packager pode permitir a
execução remota de código

- MS12-003 - Vulnerabilidade no Windows Client/Server Run-time Subsystem
pode permitir elevação de privilégio

- MS12-005 - Vulnerabilidade no Microsoft Windows pode permitir a
execução remota de código

- MS12-006 - Vulnerabilidade no SSL/TLS pode permitir divulgação não
autorizada de informações

- MS12-007 - Vulnerabilidade na AntiXSS pode permitir a divulgação não
autorizada de informações

. Moderada

- Nenhum boletim

. Baixa

- Nenhum boletim

O sistema de classificação de severidade das vulnerabilidades adotado pelo
CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se
aplique, minimamente, as correções para vulnerabilidades classificadas
como crítica e importante. No caso de correções para vulnerabilidades
classificadas como moderadas o CAIS recomenda que ao menos as
recomendações de mitigação sejam seguidas.

. Crítica - Vulnerabilidades cuja exploração possa permitir a propagação
de um worm sem a necessidade de interação com o usuário.

. Importante - Vulnerabilidades cuja exploração possa resultar no
comprometimento de confidencialidade, integridade ou disponibilidade
de dados de usuários ou a integridade ou disponibilidade de recursos
de processamento.

. Moderada - exploração é mitigada significativamente por fatores como
configuração padrão, auditoria ou dificuldade de exploração.

. Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil
ou cujo impacto seja mínimo.

CORREÇÕES DISPONÍVEIS

Recomenda-se atualizar os sistemas para as versões disponíveis em:

. Microsoft Update
https://www.update.microsoft.com/microsoftupdate/

. Windows Server Update Services
http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

MAIS INFORMAÇÕES

. Resumo do Boletim de Segurança da Microsoft de janeiro 2012
http://www.microsoft.com/technet/security/bulletin/ms12-jan

. Microsoft TechCenter de Segurança
http://technet.microsoft.com/pt-br/security/

. Microsoft Security Response Center - MSRC
http://www.microsoft.com/security/msrc/

. Microsoft Security Research&Defense - MSRD
http://blogs.technet.com/srd/

. Segurança Microsoft
http://www.microsoft.com/brasil/security/

. MS12-001 - Vulnerabilidade no kernel do Windows pode permitir o desvio
do recurso de segurança
http://technet.microsoft.com/en-us/security/bulletin/ms12-001

. MS12-002 - Vulnerabilidade no Windows Object Packager pode permitir a
execução remota de código
http://technet.microsoft.com/en-us/security/bulletin/ms12-002

. MS12-003 - Vulnerabilidade no Windows Client/Server Run-time Subsystem
pode permitir elevação de privilégio
http://technet.microsoft.com/en-us/security/bulletin/ms12-003

. MS12-004 - Vulnerabilidades no Windows Media podem permitir a execução
remota de código
http://technet.microsoft.com/en-us/security/bulletin/ms12-004

. MS12-005 - Vulnerabilidade no Microsoft Windows pode permitir a execução
remota de código
http://technet.microsoft.com/en-us/security/bulletin/ms12-005

. MS12-006 - Vulnerabilidade no SSL/TLS pode permitir divulgação não
autorizada de informações
http://technet.microsoft.com/en-us/security/bulletin/ms12-006

. MS12-007 - Vulnerabilidade na AntiXSS pode permitir a divulgação não
autorizada de informações
http://technet.microsoft.com/en-us/security/bulletin/ms12-007

Identificador CVE (http://cve.mitre.org):

CVE-2011-3389, CVE-2012-0001, CVE-2012-0009, CVE-2012-0005,
CVE-2012-0003, CVE-2012-0004, CVE-2012-0013, CVE-2012-0007

O CAIS recomenda que os administradores mantenham seus sistemas e
aplicativos sempre atualizados, de acordo com as últimas versões e
correções oferecidas pelos fabricantes.

Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter:
http://www.rnp.br/cais/alertas/rss.xml
Siga @caisrnp

Atenciosamente,
Equipe do CAIS/RNP

##############################

##################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais@cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################

De volta ao blog .... 2012 novo ano =)

2012-01-10T17:20:00.000-02:00

Caros,

Fiquei um tempo sumido do blog mas agora voltarei a postar regularmente por aqui com dicas, pesquisas e assuntos relacionados a segurança.

Se tiverem assuntos que acham interessante fiquem a vontade para sugerir, se for do meu conhecimento terei prazer em publicar algo.

Logo mais posts a caminho.

Happy Intrusion Detection!

Rodrigo "Sp0oKeR" Montoro

Silver Bullet - Novo Evento de Segurança em São Paulo

2011-10-14T09:33:00.000-03:00

A grade parcial das palestras do Silver Bullet já está no ar. Confira os detalhes dos palestrantes abaixo no link http://www.sbconference.com.br/noticias

- Henrique Takaki – Membro do Advisory Board do PCI Council
- Nelson Novaes Neto – CSO Uol Diveo
- Anderson Ramos - FLIPSIDE Smart Content Provider, Senior Lead
Instructor do (ISC)2
- Nelson Murilo - Profissonal de segurança de instituição financeira e
co-fundador da STS Produções
- Chris Nickerson - CEO of LARES
- Dr. Renato Opice Blum – Opice Blum Advogados
- Fioravante Souza - Coordenador do laboratório regional da Trend
Micro para a América Latina e fundador do projeto Beer Hacking
- Wendel Guglielmetti Henrique - Security Consultant at Trustwave's SpiderLabs
- Eduardo Neves – Consultor de Risk Management e membro do Owasp
Global Education Committee
- Suzely Espadoni - Instituto Nacional do Seguro Social – INSS
- Fosforo - Consultor Independente
- Rodrigo "Sp0oKeR" Montoro - Spiderlabs, Brazilian Snort Communirty
- Marcelo Carvalho, CISSP, CISA, CRISC
- Anchises Moraes de Paula - Idefense
- Rodrigo Antão - Techbiz
- Joaquim Espinhara - Cipher
- Derneval Cunha - Barata Elétrica
- Alberto Fabiano - Quanta Tecnologia
- Ronaldo Vasconcellos - Dragon Research Group (DRG)
- Altieres Rohr - Linha Defensiva

Estarei lá palestrando sobre HTTP Header Hunter , uma nova maneira de detectar tráfego malicioso baseado nos cabeçalhos do protocolo HTTP .

Siga-nos no Twitter: @silverbulletcon

Vai perder ? Nos vemos por lá! =)

Para se inscrever: http://sbconference.com.br/inscricoes

Happy Hacking!

Rodrigo Montoro

Local Threats - O webinar de ameaças brasileiras ( Edição Inicial )

2011-06-12T19:03:00.001-03:00

A idéia do webinar será um bate papo quinzenal do grupo Snort-BR e Malwares-BR apoiado pela Trustwave via Webex sendo o mesmo aberto ao público no geral sendo necessário a inscrição antecipada no link que será publicado em listas e sites. O evento terá como coordenador Rodrigo Montoro (Sp0oKeR) mas não necessariamente ele que estará palestrando/batendo papo virtual sempre. Teremos convidados de outras empresas que se encaixem nas pautas e assuntos tratados e logicamente sempre em português . O grande foco também é falar sobre malwares e tendências para América Latina em especial Brasil e possiveis/correspondente proteções/mitigações .

Mais informações e como se inscrever:

http://malwaresbr.blogspot.com/2011/06/local-threats-o-webinar-de-ameacas.html

Espero voces por lá!

Rodrigo Montoro

LOIC DDoS Analysis and Detection

2011-01-30T12:51:00.000-02:00

Caros,

Fiz uma analise basica do LOIC, ferramenta utilizada para os ataques de DDoS/DoS em prol do Wikileaks . Postwi alguns pontos e regras do snort no blog do Spiderlabs.

http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html

Happy Snorting!

Rodrigo Montoro (Sp0oKeR)

[Owasp-brazilian] OWASP - Encontro do Capítulo São Paulo - 17 de Janeiro 2011

2011-01-13T11:42:00.001-02:00

Pessoal,

Quero convidar a todos para participar do primeiro encontro do capítulo São Paulo da OWASP.

O espaço foi gentilmente cedido pela Editora Abril e o objetivo é discutir as ações do capítulo.

Data: 17 de Janeiro de 2011 das 19:30 às 22:00 hrs.

Endereço: Avenida das Nações Unidas, 7221 Sala Contigo no espaço Victor Civita.

Estacionamento: Rua Sumidouro ou Gilberto Sabino.

Aproveito para pedir a todos interessados que assinem a lista de discussão do capítulo São Paulo.

https://lists.owasp.org/mailman/listinfo/owasp-Sao_Paulo

Por favor, mande um e-mail confirmando a presença para o email: wagner.elias@owasp.org

Dados: Nome e RG

Isto é para autorizar a entrada na Editora Abril.

Grato

--
Wagner Elias - OWASP Chapter Leader São Paulo

Emerging Threats x VRT Rules - Enable versus Classtype

2010-12-23T17:01:00.003-02:00

Playing with bot ruleset I start to analyze some differences between them in special enable x disable rules based on classtype or category . As base I'm using VRT tarball from Nov 23th and ET emerging-all from Dec 22nd .

About VRT (I only analyzed plain-text rules):

Total Plain-text Rules: 16301
Total Enable: 4597
Total Disable: 11704

Enable rules x Category/Classtype

   1370 Status: Enable Category: attempted-user
    925 Status: Enable Category: misc-activity
    646 Status: Enable Category: trojan-activity
    419 Status: Enable Category: attempted-admin
    287 Status: Enable Category: successful-recon-limited
    249 Status: Enable Category: protocol-command-decode
    114 Status: Enable Category: attempted-dos
    111 Status: Enable Category: misc-attack
    108 Status: Enable Category: rpc-portmap-decode
    106 Status: Enable Category: policy-violation
     77 Status: Enable Category: attempted-recon
     42 Status: Enable Category: shellcode-detect
     34 Status: Enable Category: bad-unknown
     32 Status: Enable Category: web-application-attack
     16 Status: Enable Category: denial-of-service
     13 Status: Enable Category: suspicious-filename-detect
     12 Status: Enable Category: suspicious-login
     10 Status: Enable Category: unsuccessful-user
      6 Status: Enable Category: web-application-activity
      5 Status: Enable Category: successful-admin
      4 Status: Enable Category: system-call-detect
      4 Status: Enable Category: string-detect
      4 Status: Enable Category: network-scan
      1 Status: Enable Category: unknown
      1 Status: Enable Category: successful-user
      1 Status: Enable Category: not-suspicious

General Category/Classtype

   3764 attempted-user
   3612 attempted-admin
   3516 protocol-command-decode
   1228 misc-activity
   1119 trojan-activity
    520 web-application-activity
    425 web-application-attack
    358 attempted-recon
    328 bad-unknown
    308 successful-recon-limited
    301 policy-violation
    266 attempted-dos
    198 misc-attack
    133 rpc-portmap-decode
     67 shellcode-detect
     35 suspicious-filename-detect
     32 denial-of-service
     19 suspicious-login
     15 not-suspicious
     12 unsuccessful-user
      9 successful-admin
      8 non-standard-protocol
      6 default-login-attempt
      5 system-call-detect
      5 network-scan
      4 unknown
      4 string-detect
      3 unusual-client-port-connection
      1 successful-user

About ET

Total Plain-text Rules: 11517
Total Enable: 9644
Total Disable: 1873

Enable rules x Category/Classtype

   5049 Status: Enable Category: web-application-attack
   1617 Status: Enable Category: trojan-activity
    474 Status: Enable Category: attempted-user
    376 Status: Enable Category: trojan-activity
    339 Status: Enable Category: protocol-command-decode
    295 Status: Enable Category: attempted-admin
    265 Status: Enable Category: policy-violation
    206 Status: Enable Category: policy-violation
    176 Status: Enable Category: attempted-recon
    167 Status: Enable Category: bad-unknown
    102 Status: Enable Category: misc-attack
     81 Status: Enable Category: misc-activity
     81 Status: Enable Category: attempted-dos
     80 Status: Enable Category: rpc-portmap-decode
     54 Status: Enable Category: web-application-activity
     40 Status: Enable Category: misc-activity
     32 Status: Enable Category: web-application-attack
     30 Status: Enable Category: shellcode-detect
     16 Status: Enable Category: denial-of-service
     16 Status: Enable Category: attempted-recon
     13 Status: Enable Category: not-suspicious
     12 Status: Enable Category: suspicious-filename-detect
     12 Status: Enable Category: attempted-admin
     11 Status: Enable Category: unsuccessful-user
     11 Status: Enable Category: misc-attack
     10 Status: Enable Category: successful-admin
     10 Status: Enable Category: string-detect
     10 Status: Enable Category: attempted-dos
      9 Status: Enable Category: suspicious-login
      5 Status: Enable Category: default-login-attempt
      4 Status: Enable Category: unknown
      4 Status: Enable Category: suspicious-login
      4 Status: Enable Category: successful-user
      4 Status: Enable Category: non-standard-protocol
      4 Status: Enable Category: network-scan
      3 Status: Enable Category: web-application-activity
      3 Status: Enable Category: system-call-detect
      3 Status: Enable Category: successful-recon-limited
      3 Status: Enable Category: successful-dos
      3 Status: Enable Category: bad-unknown
      2 Status: Enable Category: unusual-client-port-connection
      2 Status: Enable Category: not-suspicious
      1 Status: Enable Category: successful-admin
      1 Status: Enable Category: string-detect
      1 Status: Enable Category: shellcode-detect
      1 Status: Enable Category: denial-of-service
      1 Status: Enable Category: attempted-user

General Category/Classtype

   5213 web-application-attack
   1799 trojan-activity
    643 attempted-user
    568 policy-violation
    410   trojan-activity
    384 protocol-command-decode
    373 attempted-admin
    300 misc-activity
    276 attempted-recon
    268   policy-violation
    238 bad-unknown
    137 shellcode-detect
    136 attempted-dos
    134 misc-attack
     95 web-application-activity
     88 rpc-portmap-decode
     80   misc-activity
     39 not-suspicious
     36   web-application-attack
     27 successful-user
     25   attempted-recon
     20 unusual-client-port-connection
     17   misc-attack
     17 denial-of-service
     16 suspicious-filename-detect
     16   attempted-admin
     14 successful-admin
     13   attempted-dos
     12   bad-unknown
     11 unsuccessful-user
     11 unknown
     11 suspicious-login
     11   string-detect
     10   not-suspicious
     10 non-standard-protocol
      7 default-login-attempt
      5 system-call-detect
      5 successful-recon-limited
      5 network-scan
      4   web-application-activity
      4   suspicious-login
      4   suspicious-filename-detect
      4   shellcode-detect
      4   attempted-user
      3 successful-dos
      2 string-detect
      2   denial-of-service
      1   successful-admin
      1   non-standard-protocol

In summary:

- ET has almost double rules enable by default
- VRT most enable rules focus on attempted-user
- ET most enable rules focus on web-application-attack and trojan-activity
- Rules from ET and VRT target different protections what you should analyze where you will seat your sensor for best decision or using both and mixing them

I just did some basic scripting and my numbers could not be accurate but it's a good base .

Happy Snorting!

Rodrigo Montoro (Sp0oKeR)

Palestras no Brasil - OWASP e H2HC

2010-10-06T18:26:00.000-03:00

Caros,

Faz um tempo desde o último post mas a vida anda corrida por esses lados . Faço esse post para comentar mais 2 palestras aceitas só que agora no Brasil felizmente .

A primeira ocorrerá no OWASP AppSec Brasil que acontecerá em Campinas onde falarei do uso do Modsecurity WAF para Virtual Patching ( http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Speakers)

Mais info: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Calls

Outra que tive o prazer de ser aceito e falarei pela primeira vez sera a Hackers to Hackers Conference aka H2HC . Nela falarei sobre minha pdf de scoring da estrutura do pdf o que me deixa bem feliz de falar sobre ela por aqui também.

Mais info: http://www.h2hc.com.br

Espero encontrar com vocês lá .

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

PDF Talk Accepted at Toorcon San Diego

2010-09-08T09:20:00.000-03:00

I'm very excited that my talk was accepted at Toorcon San Diego. About the conference:

Who:    Hackers Like You.
What:   ToorCon 12
When:   OCT 22rd-24th
Where: San Diego Convention Center
Why:    What Could possibly go wrong?

I'll be talking about part of my research at Trustwave Spiderlabs Research where we are doing a new way to detect malicious pdf files . The title for my talk: "Scoring PDF structure to detect malicious files"

Preliminary Agenda for Toorcon: http://sandiego.toorcon.org/index.php?option=com_content&task=section&id=3&Itemid=9#lineup

Hope to see you there!

Rodrigo "Sp0oKeR" Montoro

Snort Rules - Using content:"GET "; or not ?

2010-09-02T12:07:00.002-03:00

I'm doing some tests with different rules since I'm creating a rules test labs and based on some old read/thread and one simple test here I started to look why do we use content:"GET "; in a lot of rules since it'll not be the first match mostly.

My first test that I started to notice what I read before was about using http_method or not with engine 2.8.6 .

My pcap I created a very simple GET / (packet 5)

$ tshark -r get-NoHost.pcap
1 0.000000 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=534894464 TSER=0

2 0.001384 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=1 Ack=1 Win=524280 Len=0 TSV=534894464 TSER=134793051

3 3.798825 192.168.21.1 -> 192.168.21.131 TCP [TCP Dup ACK 2#1]
61599 > http [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=534894502
TSER=134794001

4 7.348575 192.168.21.1 -> 192.168.21.131 TCP [TCP segment of a
reassembled PDU]

5 7.892566 192.168.21.1 -> 192.168.21.131 HTTP GET / HTTP/1.0

6 8.197800 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=19 Ack=325 Win=524280 Len=0 TSV=534894546 TSER=134795100

7 8.202863 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [ACK]
Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102

8 8.202895 192.168.21.1 -> 192.168.21.131 TCP 61599 > http [FIN,
ACK] Seq=19 Ack=326 Win=524280 Len=0 TSV=534894546 TSER=134795102

I used those rules for testing the basics in my lab:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_

method;content:"attack";sid:123456;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_method;content:"index";sid:654321;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without
http_method";content:"GET";content:"ABCDE";sid:23465324;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET";fast_pattern;content:"ABCDE";sid:9845324;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid:4365324;)

And as result I got

$ perl rule-test-check.pl get-NoHost.pcap rules-samples/rules-new.rules snort.conf

SpiderLabs Rules Test version 0.1 Alpha

Result: Checked 123456 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule One - GET";content:"GET";http_ method;content:"attack";sid:123456;)

Result: NoCheck 654321 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Two - POST";content:"POST";http_ method;content:"index";sid:654321;)

Result: NoCheck 23465324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Three GET without http_method";content:"GET"; content:"ABCDE";sid:23465324;)

Result: Checked 9845324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Four GET without http_method but using fast_pattern";content:"GET"; fast_pattern;content:"ABCDE";sid:9845324;)

Result: Checked 4365324 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"New Rule Five GET without http_method and only content";content:"GET";sid: 4365324;)

Count Summary

Checked: 3
NotChecked: 2

Where:

Checked means that there is some output for this sid for one basic check at least (I'm using as base content GET since we have the packet number 5 with it) .

Based on that I remembered a good thread where Will Metacalf and Steve discuss some new features and http_modifiers use http://sourceforge.net/mailarchive/message.php?msg_name=c13e433a1003092015v2d86f9a7x2eb73a2528df09f3%40mail.gmail.com .

So I tested based on some very basic grep at emerging-all.rules "grep content:"GET " emerging-all.rules " . Using the rules that were output I ran my test against those rules (around 1047 rules) and the summary results:

Checked: 4
NotChecked: 1043

I started to figured out that content:"GET "; when we use that is tobe the first match BUT if you don't specify fast_pattern by default it'll be the bigger content to match ( http://vrt-sourcefire.blogspot.com/2009/07/rule-performance-part-one-content.html ) . So with another basic sed I changed the rules a little bit " sed -e 's/content:"GET ";/content:"GET ";fast_pattern;/g' " where it change for example:

Original

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010729; rev:3;)

fast_pattern debug choosing the biggest content found

Fast pattern matcher: URI content
Fast pattern set: no
Fast pattern only: no
Negated: no
Pattern offset,length: none
Pattern truncated: no
Original pattern
"/us01d/in.php"
Final pattern
"/us01d/in.php"

After sed

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET ";fast_pattern; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010729; rev:3;)

Rules fast_pattern debug using this option

Fast pattern matcher: Content
Fast pattern set: yes
Fast pattern only: no
Negated: no
Pattern offset,length: none
Pattern truncated: no
Original pattern
"GET|20|"
Final pattern
"GET|20|"

I rerun the same test and I got:

Checked: 976
NotChecked: 71

* Where NotChecked are mostly some GET content in a different way since I'm doing pretty basic grep/sed and not being so accurate =) .

The last test I changed fast_pattern to http_method but http_method only receive the normalize buffer but the default fast_pattern is the same , that's mean bigger content so no change from the first result.

So my question is: do we really need to analyze GET or POST (probably the same behavior since it's a short name) ? Did somebody try/test something like this before ? am I getting nuts talking about this? =D

In my opinion we could remove content:"GET "; from the rules since it'll only use some checks and "decrease" the performance . I think we already have lot of point that make sure that it's a http traffic since using $HTTP_PORTS , flow , uricontent that comes from http_inspect and so on.

Some friends that I discussed about this told some point as : "maybe the attack can only be done using GET so it's good to specify since using POST will generate a false positive". My argument is the opposite since most rules we are not sure if that works with GET and/or POST only if we don't use them as part of the rule we will mitigate False Negatives and maybe save lot of CPU's cycle (but we need test to make sure about that) . I really prefer couple of FP than FN's .

What do you think ?

Regards,

Rodrigo "Sp0oKeR" Montoro

(IN)Secure Magazine Issue 17 released

2010-09-01T18:47:00.001-03:00

New release of this awesome digital and free magazine

Review: BlockMaster SafeStick secure USB flash drive
The devil is in the details: Securing the enterprise against the cloud
Cybercrime may be on the rise, but authentication evolves to defeat it
Learning from bruteforcers
PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
Security testing - the key to software quality
A brief history of security and the mobile enterprise
Payment card security: Risk and control assessments
Security as a process: Does your security team fuzz?
Book review: Designing Network Security, 2nd Edition
Intelligent security: Countering sophisticated fraud

To download it: http://www.net-security.org/insecuremag.php

Regards,

Rodrigo "Sp0oKeR" Montoro

ISSA Day Julho com Conviso falando Blackhat/Defcon/B-Sides

2010-08-27T10:53:00.000-03:00

O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Agosto 2010.
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Conviso IT Security.

Data: 31 de Agosto de 2010, das 19:00h às 22:00h
Agenda:
19h00 – Credenciamento,
19h30 – Palestra da ISSA - Por que ser ISSA?
20h00 – Abertura falando sobre a Conviso.
20h15 – O processo de segurança em desenvolvimento, que não é ISO 15.408
21h00 – Palestra sobre a Black Hat e Defcon
21h45 – Sorteio de Treinamento Conviso e Encerramento – Com HH
Local:
Bar Genoino.
Rua Joaquim Távora 1217, Vila Mariana – São Paulo – SP

Para se inscrever: http://www.issabrasil.org/2010/08/24/issa-day-agosto-2010/

Estarei lá certamente =)!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

Updated some info for SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

2010-08-18T12:12:00.000-03:00

Virus Total Public API will make my live much easier . Look previous post about it http://spookerlabs.blogspot.com/2010/08/virus-total-public-api.html .

Some results really surprised me . Take a look and do your all conclusions .

Best AntiVirus to detect SET Malicious PDF (higher is better):

      7 "Sophos"
      7 "Microsoft"
      7 "GData"
      7 "F-Secure"
      7 "F-Prot"
      7 "ClamAV"
      7 "BitDefender"
      7 "Avast5"
      7 "Avast"
      6 "Sunbelt"
      6 "nProtect"
      6 "McAfee-GW-Edition"
      6 "eTrust-Vet"
      5 "Symantec"
      5 "PCTools"
      4 "eSafe"
      3 "NOD32"
      3 "Kaspersky"
      3 "Ikarus"
      3 "Emsisoft"
      3 "Antiy-AVL"
      2 "McAfee"
      1 "VBA32"
      1 "Panda"
      1 "AVG"
      1 "Authentium"
      1 "AntiVir"
      1 "AhnLab-V3"

Missed PDF detection for SET malicious PDF's (higher is worst) :

7 "VirusBuster"
      7 "ViRobot"
      7 "TrendMicro-HouseCall"
      7 "TrendMicro"
      7 "TheHacker"
      7 "SUPERAntiSpyware"
      7 "Rising"
      7 "Prevx"
      7 "Norman"
      7 "Jiangmin"
      7 "Fortinet"
      7 "DrWeb"
      7 "Comodo"
      7 "CAT-QuickHeal"
      6 "VBA32"
      6 "Panda"
      6 "AVG"
      6 "Authentium"
      6 "AntiVir"
      6 "AhnLab-V3"
      5 "McAfee"
      4 "NOD32"
      4 "Kaspersky"
      4 "Ikarus"
      4 "Emsisoft"
      4 "Antiy-AVL"
      3 "eSafe"
      2 "Symantec"
      2 "PCTools"
      1 "Sunbelt"
      1 "nProtect"
      1 "McAfee-GW-Edition"
      1 "eTrust-Vet"

As we can see lot of AntiVirus missed all PDF from SET what is a big problem for companies . Some AntiVirus have some methods that VirusTotal doesn't emulate and possible those methods could detect them .

I'll do a big analysis against all my pdf's and share the results .

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

Virus Total Public API

2010-08-17T21:45:00.001-03:00

Today I started to play with Virus Total Public API http://www.virustotal.com/advanced.html

My initial idea was to send files using command line and get the results quickly so I don't need a web browser and spend time uploading the file .

I read their inital samples/docs and build a mix of codes using python (most retrieve from their samples) and perl (only language I can try somehting) . By now what I have :

$ perl vt-auto.pl /LABS/pdf-basics/samples/AdamSamples/15

Sending file /LABS/pdf-basics/samples/AdamSamples/15 to Virus Total ...
Response from VT with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Waiting 120 seconds to wait file /LABS/pdf-basics/samples/AdamSamples/15 be scanned ...

Sending request fo Virus Total about /LABS/pdf-basics/samples/AdamSamples/15 with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Report Results for /LABS/pdf-basics/samples/AdamSamples/15 :
"nProtect": "Trojan-Exploit/W32.Pidief.16718.AV"
"CAT-QuickHeal": ""
"McAfee": "Exploit-PDF.b.gen"
"TheHacker": ""
"VirusBuster": "JS.Crypt.BSP"
"NOD32": "PDF/Exploit.Pidief.AUT"
"F-Prot": "JS/Psyme.HU"
"Symantec": "Trojan.Pidief.D"
"Norman": "JS/Shellcode.GS"
"TrendMicro-HouseCall": "TROJ_PIDIEF.ADY"
"Avast": "JS:Pdfka-PO"
"eSafe": "PDF.Exploit.2"
"ClamAV": "Suspect.PDF.ObfuscatedJS-5"
"Kaspersky": "Exploit.Win32.Pidief.aut"
"BitDefender": "Exploit.PDF-JS.Gen"
"ViRobot": ""
"Sophos": "Mal/PdfEx-C"
"Comodo": "TrojWare.Win32.Exploit.Pidief.aut"
"F-Secure": "Exploit.PDF-JS.Gen"
"DrWeb": "Exploit.PDF.166"
"AntiVir": "EXP/Pidief.JX"
"TrendMicro": "TROJ_PIDIEF.ADY"
"Emsisoft": "Exploit.Pidief!IK"
"eTrust-Vet": "PDF/Pidief.IQ"
"Authentium": "PDF/Obfusc.D!Camelot"
"Jiangmin": ""
"Antiy-AVL": "Exploit/Win32.Pidief"
"Microsoft": "Exploit:Win32/Pdfjsc.AS"
"SUPERAntiSpyware": ""
"Prevx": ""
"GData": "Exploit.PDF-JS.Gen"
"AhnLab-V3": "PDF/Shellcode"
"VBA32": ""
"Sunbelt": "Exploit.PDF-JS.Gen (v)"
"PCTools": "Trojan.Pidief"
"Rising": ""
"Ikarus": "Exploit.Pidief"
"Fortinet": ""
"AVG": "Exploit"
"Panda": ""
"Avast5": "JS:Pdfka-PO"

Detection : (31/41)

I'll improve and fix the code so I can share because now it's impossible . That 120 seconds that I wait is just to make sure that the scan will finish before I try to retrive the results but sometimes depending on file size it'll probably fail .

Nice resource from VirusTotal Team , congratulations!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

2010-08-16T15:59:00.001-03:00

Since Social Engineer Toolkit aka SET is being using in the wild I solved to create their pdf’s and tests against AntiVirus Vendors and against new detection scoring based on Spiderlabs Research .

[---]       The Social-Engineer Toolkit (SET)          [---]
[---]        Written by David Kennedy (ReL1K)          [---]
[---]                 Version: 0.6.1                   [---]
[---]            Codename: 'Arnold Palmer'             [---]
[---]     Report bugs to: davek@social-engineer.org    [---]
[---]        Java Applet Written by: Thomas Werth      [---]
[---]        Homepage: http://www.secmaniac.com        [---]
[---]     Framework: http://www.social-engineer.org    [---]
[---]       Over 1 million downloads and counting.     [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..

             Follow me on Twitter: dave_rel1k

       DerbyCon 2011 Sep29-Oct02 - A new era begins...
                  http://www.derbycon.com

Select from the menu on what you would like to do:

1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7   Update the Metasploit Framework
8. Update the Social-Engineer Toolkit
9. Help, Credits, and About
10. Exit the Social-Engineer Toolkit

Enter your choice: 1

1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1

1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Enter the number you want (press enter for default):

1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)

Enter the payload you want (press enter for default):

* All payload 1 – Windows Reverse TCP Shell with port 2345

1. Adobe Flash Player 'newfunction' Invalid Pointer Use

http://www.virustotal.com/file-scan/report.html?id=377ba41782bbeb25c9816d76ec190fb6f4b88c7bbaecc26653a4a6ecc479f3ea-1281835639

File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)

$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf

flashplayer-newfunction.pdf Malicious PDF Detected

2. Adobe Collab.collectEmailInfo Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=a4ac73a6efee530a05ea05eeeaa3d8efc137e4eb3bcf4d492c2b318264da2f77-1281836155

File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)

$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf

collab-collectEmailInfo.pdf Malicious PDF Detected

3. Adobe Collab.getIcon Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=631893cd75bcf60ec82a3f59d3bd3f7f166874641a4ed62ceee28852889ec6e2-1281836494
File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)

pdf-analisys.pl -s1 -f collab-getIcon.pdf

collab-getIcon.pdf Malicious PDF Detected

4. Adobe JBIG2Decode Memory Corruption Exploit

http://www.virustotal.com/file-scan/report.html?id=814f20d28de287e76dbfacb14d90dbfab8e0b1e11e16212b88ca3216f2189117-1281836756

File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)

$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf

JBIG2Decode.pdf Malicious PDF Detected

5. Adobe PDF Embedded EXE Social Engineering

http://www.virustotal.com/file-scan/report.html?id=484ba7800fd549b82b6ac4dab5100f3017a0995cc47be13977703a168d1bcef3-1281837936
File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)

$ pdf-analisys.pl -s1 -f embeddedfile.pdf

embeddedfile.pdf Malicious PDF Detected

6. Adobe util.printf() Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=99e01802391f77c5c93cdf52cb2eacb5673e6acf7ac90776d477948a7fa1222d-1281838414

File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)

$ pdf-analisys.pl -s1 -f utilprintf.pdf

utilprintf.pdf Malicious PDF Detected

8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

http://www.virustotal.com/file-scan/report.html?id=0ce18c65373f113916b108508b3afc481e460f77353d1e3ddd259dbd29bab5a1-1281838713
File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)

pdf-analisys.pl -s1 -f U3D.pdf

U3D.pdf Malicious PDF Detected

Clamav Results

collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1

* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .

Virus Total Results

Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)

Average Detection: 14,85 / 42 or 35,37%

Top5* AntiVirus Results

* Top5 antivirus based on most common names not in detection rates

** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Scoring System Results

collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected

We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .

Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .

Regards,

Rodrigo "Sp0oKeR" Montoro

Pic from Vegas/Blackhat/Caesar

2010-08-05T02:30:00.003-03:00

Only picture with part of Brazilian friends in Vegas in front of Caesars after Blackhat 2010

Mab , Rodrigo , Wendel , Bruno and Fio

Nice Blackhat staff shirt no ? =D

I'll write a post about Blackhat/Defcon/Spiderlabs meeting during this week yet =)

Regards,

Rodrigo Montoro (Sp0oKeR)

RazorBack - New Sourcefire VRT Project

2010-08-04T14:27:00.001-03:00

VRT guys just released at Defcon 18 version 0.1 for RazorBack . The project is REALLY interesting and it's targeting client-side attack mostly since that's currently where most attacks are .

What is RazorBack ?

Project Razorback™ is an undertaking by the Sourcefire VRT.

Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.

The project page could be found here : http://labs.snort.org/razorback/

There you will find the slides, papers, 0.1 files version. Besides that they created a new channel at irc.freenode.net #razorback .

I'll try to do lot of test in next week and post about those here .

For sure this project will grow a lot quickly and kickass in the future . Get involved . I'll for sure .

Happy Snorting!

Rodrigo Montoro (Sp0oKeR)

Snort 2.9.0 Beta Available

2010-07-27T18:04:00.000-03:00

Awesome new features coming with snort 2.9.0 . I'll do lot of tests after Blackhat/Defcon .

A beta version of Snort 2.9.0 is now available on snort.org, at
http://www.snort.org/snort-downloads/

Snort 2.9.0 introduces:

* Feature rich IPS mode including improvements to Stream for
inline deployments. Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React. A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments. When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.

* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 or
console event log if policy mode was set to inline.

* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.

* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology
http://download.intel.com/embedded/applications/networksecurity/324029.pdf

* Reference applications for reading unified2 output that handle
all unified2 record formats used by Snort.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

Happy Snorting!
The Snort Release Team

Updates/New Features at ViCheck and VirusTotal

2010-07-23T07:42:00.000-03:00

This week those nice online tools made great enhancements specially ViCheck

From ViCheck Blog:

Report page enhancements and Email Report

For recently processed documents such as PDF or MS Office (engine >=193) we are now highlighting more information about the embedded executable such as the encryption/cipher method and information about the key.

To read and see samples about those:

http://vicheck.blogspot.com/2010/07/email-report-enhancements.html
http://vicheck.blogspot.com/2010/07/report-page-enhancements.html

From Virus Total Blog:

They added new engine from SUPERAntiSpyware ( http://www.superantispyware.com/ ) what I help to improve the AV detection rates. Hope it's something not too static only . I really never heard about this engine before .

To read about this: http://blog.hispasec.com/virustotal/49

Happy Hacking!

Rodrigo Montoro (Sp0oKeR)