Wednesday, December 31, 2008

kaminsky's DNS bug + Rogue CA Certificates = Trust No One

If there has been any missing part in most of the previous clever and sophisticated phishing attacks, it would be a valid SSL certificate signed by a valid CA.

Recently, a smart group of cryptography researchers have successfully exploited a bug in the MD5 hashing algorithm that allows them to hack VeriSign's certificate authority and create fake digital certificates for any Web site on the Internet.

I won't talk about their findings here; you can check it out here:

Today I'll draw the attention to a couple of possible attack scenarios that Phishers and malware authors can use by combining techniques that would be very difficult to stop unless a number of defenses is being used against.
The techniques of this attack are:

1) DNS Cache Poisoning Attack (For directing victims to fake sites like banks)

2) SQL injection Attack (For injecting IFrame redirectors into high traffic website, to redirect visitor to the fake website)

3) Double Flex Network (botnet) that would host malicious name servers (malicious/phishing websites resolution) and webservers (host the malicious/phished site)

4) Rouge CA SSL Certificates (For fooling victims who are visiting a website that is secured by using a valid SSL certificate, and the browser is showing a padlock indicating that it's a safe and legitimate website)

So, hackers have multiple targets to meet to launch a perfect attack. Well, the first three techniques are being used nowadays, but were lacking a very important member in the crew, Trust.
Before, nobody was able to break the trust rule and build a complete, flawless phishing attack. Now they can generate any valid certificate and make their phishing bank websites appear legitimate and secure. End user who is dealing with secure online transactions will be comfortable when he sees the padlock and there are no warning signs about website identity.
Countermeasures for (Website Admins):
1) Replace MD5-based SSL certificates, with SHA-1 certificates because they are more secure.
2) Use Extended Validation certificates (EV).
Countermeasures for (CA):
1) Stop issuing MD5-based SSL certificates, and replace them with SHA-1 certificates
2) Encourage customers to replace their MD5-certificates with SHA-1 certificates
3) Encourage customers to upgrade their certificates to Extended Validation (EV) for more security. See
4) Monitor "Certificate Signing Requests" by the same user in quick succession
5) Add randomness to the certificate fields, like the serial number field.
Countermeasures for (Users):
The basics:

1) Padlock appearance is not enough, you should move on with other ways to make sure your visiting the legitimate and secure website.

2) Upgrade your browser to the latest version (IE 8 / FF 3 / Opera 10) to use their built-in anti-phishing capabilities.

3) Install good endpoint security software to stop malwares, and make sure it's updating definitions daily. The latest versions includes online security features like (Norton Internet Security 2009 and Kaspersky Internet Security 2009)

4) Install Windows patches and service packs to stop malwares and online attacks from exploiting any vulnerability in your system.

5) Install and updates all ActiveX components in your browser by upgrading the original software (ex. PDF reader ActiveX, you should upgrade Adobe Reader. Real player embedded ActiveX; you should upgrade RealPlayer…and so on). You can use Secunia Personal Software Inspector (PSI) to scan your system for insecure softwares and utilities.

The Advanced:

If you want to do any online transactions, use Authentium’s SafeCentral to create a secure session between a locked-down browser and your online bank. It has capabilities to defend against the following attacks: Keyloggers, Spywares, DNS poisoning, Malwares, Sniffing, Man-in-the-middle
Visit their website:

Friday, December 19, 2008

DNS Chanager 2.0

DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.

It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.

The question is how to protect and prevent such attacks. Here is my compiled checklist:

1) As always, keep your systems up-to-date and make sure you are using/deployed the latest browser (IE 7/8, FF 3, Google Chrome, and Opera 10) in your network. Because it's always start from exploiting your old browser and process with the rest of the attack.

2) Make sure your antivirus is prepared to detect and block this malware. If you detect any suspicious process which listens on port 67, you can upload it your vendor or use

3) If you are a Cisco shop, you are lucky enough because they have implemented a built-in security mechanism called "DHCP Snooping", is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. Read more about it.

This is an example of enabling DHCP Snooping on a Cisco Switch:

switch(config)# ip dhcp snooping
!Enables DHCP Snooping globally!
switch(config)# ip dhcp snooping vlan {,}
!Enables DHCP Snooping for Specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Sets the interface to trusted state; can then pass DHCP replies!
switch(config-if)# ip dhcp snooping limit rate
!Sets rate limit for DHCP Snooping!

4) Use " DHCPLOC Utility" to detect rogue DHCP servers on your network, Get it from here (

With this tool, you can determine which DHCP servers are available to a DHCP client and to detect unauthorized DHCP servers on a subnet.

5) Use " DhcpExplorer" , it’s a tool that allows you to discover DHCP servers on your local subnet or LAN. This is useful for locating servers that are not supposed to be on your network (rogue DHCP servers) as well as checking the expected output of known servers. The tool is designed with a user-friendly interface and is easy to use. Download it from here:

6) Use " DHCPing", it is a simple utility, like ping, except it tests for running DHCP servers. The results of a dhcping scan can be matched against a list of known DHCP servers on your network. Anything showing up in the scan, and not on your server inventory, should be suspect. Get it from here:

7) If you are a Microsoft shop, make sure that you have configured authorized DHCP server correctly, read here for more details:

8) If you use Nmap, and you should by the way. You can scan your network for hosts that listen to port 67. See this example:

nmap -sU -P0 -p 67-68 -oN dhcp-scan-results > 192.168.0-3.*

Replace 192.168.0-3.* with your network's IP range.

9) Snort, is your watch dog while you are busy. Modify your snort.conf file to add a new servers list, like this:

var Authorized_DHCP [,]

replace, with your production servers

And use this rule to detect rogue dhcp servers:

alert udp !$AUTHORIZED_DHCP 67 -> any (msg: "Rogue DHCP Server OnNetwork"; sid:1000001;)

10)If you have tcpdump around, you can run and use this Bpf filter to detect rogue dhcp servers:

tcpdump -i eth0 -nn 'udp port 67 and !(host x.x.xx or host x.x.xx)'

11)And last, double check with your host-based firewall vendor that their product dose support NDIS-level firewalling. This means the FW will protect against unauthorized NDIS protocol registration by hooking NdisRegisterProtocol()/NdisOpenAdapter(). So, the FW will be notified when a NDIS protocol is trying to be registered or when it’s binding to some adapter.

Related Posts:

Wednesday, October 15, 2008

The Honeynet Project - Kuwait Chapter

The first Arabian chapter of the honeynet project is going to see the light soon. I'd like to announce the creation of the "Kuwait Chapter" of the honeynet Project. Our goal is to study Internet attacks and threats which target Kuwait and Middle East. We are in progress of contacting third-parties for donations and sponsorships. If you are interested in helping us, please contact me at (

Also, we are looking for volunteers who want to join the team, the required skills are:

1) Malwares analysis

2) Packets analysis

3) Linux/Windows Forensics

4) IDS / IPS / Firewalls

5) Honeypots

If you would like to donate, we accept:

1) Cash

2) Computers

3) Servers

4) Internet public IP's

5) Internet connections

For more information, please contact me at (

Sunday, September 7, 2008

Malwares Forensics Dojo in Kuwait

By Aa’ed Alqarta (Symantec STS)

This course is targeted to systems and security administrators who are responsible of securing their clients and networks. Without concepts and technical skills, you can’t defend against the latest generations of malwares. This course will prepare you with the required knowledge to fight malwares. You’ll learn from an experienced and trained instructor who will guide you step-by-step through the training.

Course Agenda:

- Introduction to malwares: We will talk about malwares basics, and history of malwares.

- Types of malwares: We will talk about all malwares categories and how to defend against them.

- Tools for malware analysis: We will talk about malwares analysis tools that will help the system admin during investigating an infected computer.

- Malwares disinfection: We will talk about the techniques that will teach a system admin how to disinfect and clean any infected system using special techniques, tools and live CDs.

- Malwares detection: We will talk about how to detect any malware that is propagating in your network using traffic analysis, honeypots and IDS.

- Security policies and defenses against malwares: We will talk about effective security policies and defense strategies against malwares.

For registration details, just send to (a.qarta [ at ]

Wednesday, July 2, 2008

"Malwares Resistance" Assessment

We all have heard of a "Vulnerability Assessment" or a "Network Security Assessment", but what's about a "Malwares Resistance Assessment”?

Well, it came to my mind this morning while talking to one of my customers about hardening their machines to be more "resistant" to malware infections.

It’s not clear if there is any kind of a standard to follow when we need to measure the “resistance level” of our network against malwares, but based on my knowledge and experience, I’d like to craft an essential checklist of questions to answer them by yourself:

1) Do you have the latest version of the current antivirus which is running on your system?

2) Is the antivirus capable to detect known malwares, rootkits, zer0-day exploits using a proactive technique?

3) Is the antivirus capable to detect unknown malwares, rootkits, zer0-day exploits using a proactive technique?

4) Do you have a patch-management strategy to fix operating systems and third-party applications vulnerabilities?

5) Do you have an Internet content filtering solution to block access to websites that host malicious codes?

6) Do you have an antispam solution to filter spams and scan for malicious attachments and embedded links?

7) Do you have the latest versions of the running softwares/applications that require installing an Activex component?

8) Do you have the latest version of the running Internet browser? “The latest browser have been engineered to add phishing/malware filtering”

9) Do you have a policy that forbid and block the usage of removable drives in your network?

10) Do you have a policy that forbid and block to install unapproved softwares?

11) Do you have a bandwidth monitoring solution to track network and Internet protocols usage in real-time?

12) Do you have a firewall/UTM solution that supports Internet traffic virus scanning?

13) Do you have an IDS/IPS solution that can observe malwares activities in your network?

14) Do you run a honeypot that monitors the dark-space in your network/DMZ for malware propagations?

15) Do you have the proper FW ACL’s that prevent inbound/outbound traffic related to malware communications?

16) Do you have a “malware outbreak incident response” plan?

17) Do you follow the concept of “Least Privilege” whenever you install/configure a software/service?

18) Do you have a training program that gives you or your team the needed malware-related skills?

19) Do you have a “malware containment strategy” in case of any large-scale propagation?

20) Do you have a solid backup & recovery of data and system in case of data loss due to a malware infection?

21) Do you have security awareness training for users to reduce the number of infections or to improve the user’s actions in reporting incidents?

22) Do you have a secure deployment of new machines in your network? (Up-to-date OS, up-to-date AV, hardened OS, approved applications are installed, limited user permissions).

23) Do you follow a password security policy in your network? (network shares passwords, administrator account password, complex passwords, password expiration, changing default passwords)

If you have anything not mentioned in this list, you’re welcome.

related Posts:

  1. Opera 9 vs. FF 3: antifishing review
  2. Use default password, get hijacked
  3. Stop malwares using device control
  4. Block malware domains using Squid
  5. IE Activex security 101
  6. DNS redirection techniques
  7. Malwares containment: quarantine the infected
  8. Malwares containment: level II
  9. Malwares containment - the basics
  10. Analyze malware infections on your own - 1
  11. Analyze maware infections on your own - 2

Monday, June 30, 2008

Firefox vs. Opera: Anti-phishing Review

The war is still burning between Opera Vs FF, and they have improved the code to secure the user’s online life. As working with security products as a daily basis task, I have the habit of testing their capabilities to approve what they are suppose to protect against. Sometimes when you put anything to the test, you’ll get surprising results and mostly disappointing. Today, I got two contenders, Opera 9 and Firefox 3. We heard some claims about their readiness to stop the bad. I’m not sure if this is the correct way to benchmark both of them. But my test was simple, as simulating a normal user who received a phishing spam which contains a link to a fake website such as, Paypal.

The Test:




URL: hxxp://



URL: hxxp://



URL: hxxp://



URL: hxxp://



URL: hxxp://



URL: hxxp://







What makes Opera 9 better than FF in my opinion? Is the higher number of blocked websites, plus the warning notification when a fraud website is detected. While FF is not blocking any of them and there is no notification except that it's not receiving the identify information of the site.

Download both of them and try the test by yourself:

Opera 9

Firefox 3


Saturday, June 28, 2008

Book Review: Endpoint Security

I've just finished reading this book by Mark Kadrich, and I have to admit that it's highly informative and focus on the pain points. We are fighting malwares everyday and spending millions of dollars on solutions built to stop known attacks and fail to stop the unknown. I'd like to share with you some interesting quotes from the book:

(I’m not aware of any SOx template that ever stopped a worm. Granted, it was a great
example of “find a need and fill it” mentality, but it also gave many people the false
impression that being SOx compliant meant being secure.)


(How can this be? We have antivirus! We have firewalls! We have IDSs! We have
authentication systems! We have HIPAA, SOx and let’s not forget GLBA! With all this
heavy artillery, how can the evil worms of war still manage to break through our
defenses? Why do we have systems infected with bots? How can we have all this security
and still have a polluted network

What we can understand from this?

I think the problem is either the current security standards are not as effective as before to stop malwares, or we are not implementing them correctly. A security standard will give you the foundation of the whole security architecture which your network needs. If you don't follow the book, it's your problem. I've seen many security administrators who give no attention to patch machines properly. Or even, check the firewall logs to observe any botnet activity!. Such case, is a big example of how malwares manage to penetrate your defenses to infect the endpoints.

I'll give you some tips from my daily work:

To stop malwares we need to close all the holes, which are:

1) Internet - We have different sources of risks, so let's break them down:

Websites: Install a content filtering solution (e.g, Websense)
Spam: Install a respected antispam solution (e.g, Bordware MXstream, Cisco IronMail)
P2P: Block these applications using a firewall or IPS. Or even prevent the installation of them at all.
Malwares: Block risky ports on the FW. Deploy a network IPS. Deploy a gateway Antivirus (HTTP scanning)

2) Removable drives - these devices are "Mobile Mass Infections" weapons, which I'll never allow them during my watch.

The only countermeasure against them is device blocking policies using some software that will give a full control of them.

The list still not yet finished, please keep reading:

- Patch management strategy: OS + Applications patching. 80% of malwares are targeting a specific vulnerability in your system. I always say "A patched machine with a real IP is safer than unpatched one behind a 100 FW".

- Browser security: Get a secure browser (FF3 or Opera9). Read my lips: No *F* ActiveX anymore!

- Network Access Control: check Cisco NAC or Symantec SNAC solutions.

- User Awareness: e-mails with some cartoons, sessions, screenshots of malicious activities and how to report them.

- Training and reading: If your admin spends his day playing "FreeCell", it's the time to level up his knowledge. Because an ignorant admin will decrease the value of any security solution. Most customers will utilize 40% of the solution because their lack of knowledge on how to use the advanced features which may help them to compact the original problem.
here's the link for the book on Amazon. Click here
I'm done here,

Saturday, June 21, 2008

USB dongle auto malwares scanning with clamav

How many of you folks use a USB dongle for his daily tasks? I think most of you, but since this blog is about security & malwares. Today, I’m going to show you a trick using a windows batch file and the portable version of clamav for arming your dongle when you have to copy/move files in a non-secure environment. For me personally, when I need to get a new/additional USB dongle, I prefer the ones that have read-write protection. This is a very effective way to protect your USB when you need to transfer files between you laptop for instance, and other machines. But suppose yours doesn’t support this feature. You need to create some kind of armor around it.

Let’s work:

1) Get the latest copy of ClamAv_Portable for Windows. Download Here (install and rename the folder to ClamWinPortable)

2) Copy the following batch and call it (scan.cmd):

@echo off
set @1=%cd%
echo Updating ClamAV definitions ...
.\ClamWinPortable\App\clamwin\bin\freshclam -v --config-file=".\ClamWinPortable\App\clamwin\bin\freshclam.conf" --datadir="\..\ClamWinPortable\Data\db"
echo Scaning USB for Malwares ...
.\ClamWinPortable\App\clamwin\bin\clamscan.exe --database=".\ClamWinPortable\Data\db" -v --show-progress -u -k --bell --remove -i --detect-broken -l scan-resultes.txt %cd%
explorer.exe %cd%

3) Copy the following auto run instructions and save it as (autorun.inf):


Copy all of these files to the root of your USB dongle, then close the windows, reopen it again and see the magic.

Wednesday, June 18, 2008

Zlob says: You look really stupid !

Zlob trojan never give up, it's using a multi-directions strategy to infect as much as of systems. We talked recently about one of it's attacks against non-secure wireless/wired routers in the Internet which are left with default passwords. Nowadays, Zlob is trying to use some social engieering tricks, by sending spam e-mails with the subject line (You look really stupid) and the body contains a url to a fake video file with the extension (exe) !

Checklist for system admins:

  1. Make sure the current antispam is updated with the latest signatures.
  2. Make sure the current antivirus is deployed/updated on all machines. Verify if your vendor is already providing defintions to detect trojan.Zlob and it's variants.
  3. Deploy some URL/websites filtering solution to block malicious URLs (e.g Websense). If you already have one installed, create a policy to deny access to any URL which contains video.exe/video1.exe.
  4. Turn on antivirus scanning on your gateway firewall, and if it doesn't support this. It's the time to replace it by a decent UTM (e.g Fortigate / Juniper / ASA).
  5. User awareness is on your side, send a periodic e-mail which talks about spams, malwares, and other Internet threats. Try to use a simple and friendly language. Also, use a cartoon that talks about computer security to add the sense of humor to it.
  6. If you are already running Snort, use this signature to detect the download of the fake video executable: (You need to change the rule to detect different variants like video.exe, video1.exe, or video2.exe ...etc)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan.Zlob Binary Requested (video.exe)"; flow:established,to_server; uricontent:"/video.exe"; nocase; classtype:trojan-activity; reference:url,; rev:1;)

other posts about Zlob:

Friday, June 13, 2008

Use default password, get hijacked

As the title says, use default password on your wireless/wired routers and wait for the new variant of the "Zlob" trojan to infect some machines, then try every default router username/password combinations from Or even check this text file, search for your current user/pass to make sure they are not in the list.

Zlob (or as known DNSChanger) will modify the DNS settings to use other rogue DNS servers. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites.

Countermeasures against DNSChanger:

  1. Change your router default password to something complex. Make sure it's long, and contains symbols and numbers.
  2. Configure your router to allow management access from specific machine only (e.g, Admin PC), this will prevent infected machines from reaching your router.
  3. Update the current firmware to fix any security issues.
  4. If possible, change the management port to something else. (e.g, port 80/443 to 555)
  5. Configure Syslog/SNMP on the router to watch any configuration modifications or failed login.
  6. Rename the admin account on the router, Or see next.
  7. Disable/delete admin account, and create another one with different name and password.
  8. Deploy an IDS on your network to detect malicious activities (e.g, router user/pass brute force attack / requests to rogue dns servers / video codec downloads )
  9. Deploy an URL filtering software/appliance that filters access to any malicious websites/pages that provides codec/fake codecs.
  10. Disable UPNP on your router, becuase it's not secure anymore. check here:
  11. Block access to these IP's ( /
  12. Use Purenetwork Security scan for wireless networks,
  13. Keep your machines up-to-date. Most malwares targets a specific vulnerability to reach the system.
  14. Get legitimate video codecs, install them on your machines, and inform your users that their machines are ready to play any video format and there is no need to download codecs from untrusted sites. check
Safe browsing ... :)

Tuesday, June 3, 2008

Stop malwares using device control: A real life experience

If your one of those administrators who hardly try to keep their networks clean and prevent the next malware from infecting their systems, this is definitely for you…

Spending thousands of dollars on security solutions to protect the enterprise from the outside alone is an outdated concept. If you want to ask anyone works in the security arena? What are the main sources of malwares today? He’ll probably answer this: e-mail spam, websites, and removable drives. I’ve been dealing with anti-anything (malwares, viruses, worms, rootkits) since a long time, and I used to judge on the network security from the antivirus server logs and reports. Because these logs will give a lot of details, such as the name of virus, the path on your system, from where it came, etc. And most of the time, I see viruses detected inside the removable drive root folder. And thanks to Windows “Auto Play”, which is used to inspect the type of files and choose the suitable software to open them. With this, malwares are getting executed every time you plug your flash drive in your computer. So to start talking about this, many vendors today start to provide additional module to their software which controls local system devices based on a policy. For example, Symantec Endpoint Protection 11 is my choice today to protect endpoints. I can block every single device/interface in the machine. Such as USB dongles, Bluetooth, PCMCIA, wireless, ports, com, etc. I had one customer who was struggling to stop malwares, and depending on the installed AV alone was a losing game. So I checked the daily logs of the AV server, and I was surprised due to the high number of viruses which had been detected on users' USB dongles!.
I have to admit that this customer is more happier than before, because malware infections have decreased by 70% once we blocked all insecure devices.
A replacement for using USB dongles inside corporate network is using a secure file sharing server which has multi-antivirus scanner installed to check for infected dongles and heal them. Then the user copies/moves his files to/from this server without endangering the LAN. His company has accepted this and the life is still going with/without USB dongles :)

Saturday, May 24, 2008

Block malware domains using Squid

Today we'll see how we can start filtering malicious websites using Squid as an example. Squid cache is a popular open source web proxy server and web cache software. If you don't want a complex solution, you can use black lists and a small batch file to generate copy-and-pase Squid ACL's to filter the unwanted.

Let's Start:

1) Download the complete file from this link domains.txt

2) Use MS Excell to filter and save URL's:

- open domain.txt

Now select the domains in the first column and paste them into a text file, call it block.txt

3) Use this batch file to import URL's from block.txt and convert them to Squid ACL's

@echo off
for /f %%a in (c:\block.txt) do echo acl blocksites dstdomain %%a >> c:\squid-acls.txt
notepad c:\squid-acls.txt
exit /b

append the output to the squid conf file like this:

acl blocksites dstdomain

acl blocksites dstdomain

acl blocksites dstdomain

acl blocksites dstdomain

acl blocksites dstdomain

acl blocksites dstdomain

acl blocksites dstdomain

http_access deny blocksites

Save and close the conf file, Restart Squid:

# /etc/init.d/squid restart

you're done ;)

Saturday, April 26, 2008

Managed Security Services: the home-users edition

If you think about security problems nowadays, it would be either corporate security problems, or home-users security problems. Most security vendors are focusing on the first one, because simply there is the cash. But who will help the clueless end user, who got his new laptop or desktop and he has nothing to do with Internet security. Ok, you may tell me that OEM shipped computers come with antivirus already installed there. Stop! Norton Antivirus has to be activated before it starts working. Also, evaluation versions run for 1 month, or 2 months. Then what? It will stop updating definitions or even stop working at all. Here where the problem starts, end users have to be managed somehow by someone. The nearest one is their lovely ISP. ISPs can play an effective role here, because the user is connecting through their proxy servers, DNS servers, web filtering servers …etc. But what if we add one more server to this mix, an Antivirus server! Let their marketing departments start new campaigns (ex. AV for everyone), gain more money, and build a secure Internet users community at the same time.

Technically, it’s not more than installing a corporate edition antivirus (clients/server) and deploying the agents to the paying customers who preferred to leave the antivirus management to the ISP’s technical support. What are the advantages of such a service? Well, it will fix many issues, such as (commercial AV licensing, insecure default AV installation, corrupted AV files which may stay for ever showing bogus notifications, updating definitions using the ISP hosted server which will defeat local poisoned AV vendor’s domain record (ex. ---> 127.0.01) which makes virus definitions update is impossible.

I hope that ISPs start taking some responsibility and stand beside their users, which make them better than the others.

If you have any comment, share it with us here …

Thursday, April 24, 2008

U.N site took the injection

U.N site is another victim of SQL injection attacks, when a user browses the site events page, he will get redirected to ([removed]). The "1.js" redirects the user to another page "1.htm", once loaded it will try to exploit the following vulnerabilities:

Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (Critical)

Cumulative Security Update for Internet Explorer (Critical)

Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

The Baofeng Storm MPS.StormPlayer.1 ActiveX control heap-based buffer overflow

GLChat Stack-based buffer overflow

Baidu Bar ActiveX Control Remote Command Execution

Real Player RAM Download Handler ActiveX Control

Finally, it will redirect the user to another two pages that serve malwares: ( hao8.htm?036) and ( new.htm).

Mitigation checklist for system administrators:

  1. Make sure all windows machines are up-to-date, use WSUS to distribute patches and critical updates. Use Microsoft Baseline Security Analyzer (MBSA) to scan for missed patches and vulnerable security settings.
  2. Make sure all installed applications and softwares are up-to-date, you can use Secunia Network Software Inspector to check for vulnerable softwares.
  3. Secure the ActiveX settings of Internet Explorer, check here IE ActiveX security 101. Also check the "ActiveX Killpit App" from Tom Liston of Intelguardians.
  4. Block all http requests to [replace blach.js with 1.js]
  5. Make sure your Antivirus vendor has signatures for W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr; Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN

Friday, March 21, 2008

IE ActiveX Security 101

Now it is the time to open the books and read about how we can achieve a safe browsing experiment in a time when you can’t trust any site you visit on the Internet. If you depend on your antivirus alone to stop all of those invaders. You’ll be another addition to the “False Sense of Security believers” List.

Recently we’ve faced a lot of aggressive attacks against vulnerable systems, which exploit the following ActiveX vulnerabilities:

Baofeng Storm ActiveX
Ourgame GLChat ActiveX
Qvod Player ActiveX
Microsoft RDS.Dataspace ActiveX
RealPlayer playlist ActiveX
Storm Player ActiveX
Microsoft Windows WebViewFolderIcon ActiveX
Xunlei Thunder DapPlayer ActiveX

Leaving your windows machines unpatched till that time is a shame, besides also running insecure browsers or let me say it better, “Browsers with insecure settings” is a big mistake nowadays where every single malware writer will use this point in his side because the next layer he needs to exploit, is the weak link; humans.

So as a system admin, you should make sure no user during your watch works with any vulnerable browser. For achieving a good and secure configuration, I’ll show you the recommended IE ActiveX related settings that could leave you insecure if it’s not done the secure way.

click to enlarge the image:

Usually disabling everything will break many features which make browsing as “drinking a glass of bitter lemonade”. Thanks for IE “Trusted Sites security zone”, which as the name says, we use to put the trusted sites inside it and we’ll authorize any script or ActiveX to be downloaded and run. You can use “Internet Explorer 5 Power Tweaks Web Accessory” from Microsoft; this tool will add a menu choice "Add to Trusted Zone" to the tools menu of Internet Explorer.

100% Safe Browsing … is it a dream? What do you think?

Monday, March 17, 2008

IFRAME Attacks - Actions to be taken

The massive campaign against Internet websites is getting harder to be contained because the huge number of vulnerable websites which are not secured enough to face such kind of attacks. Mass IFRAME attacks against highly ranked sites made it a successful one. So as a system admin you have to raise the security bar in your network to prevent your clients from getting exploited and redirected to the malicious pages on those websites.

I've compiled a first-aid list to help you in this situation:

- Monitor outgoing DNS requests to the Internet, which bypass your local legitimate DNS server.

- Disable ActiveX

- Upgrade Internet browsers to latest the versions, IE 8 beta 1 or Firefox 3.

- Update the current Anti Virus (also check your Anti Virus server report and track not updating clients and fix their problems) and make sure it can detect Zlob variants.

- block clients from reaching the infected domains by using the following techniques:

  • URL filtering software (ex. Websense): block *all* of your clients from reaching malicious and porno sites. Add the new infected by the IFRAME attack to a custom group till they got fixed. Also filter any downloaded executable that contains the keyword “codec” for example, *codec*.exe

  • In this case block ( and all request attempts to download (democodec1292.exe)

  • Firewall Rule: block all http/https request to the infected domains.

  • DNS redirection: create a DNS zone (call evil-websites) and add the domain records with bogus IP’s, such as

  • If you already running Snort, use this signature to detect the download of the fake codec executable:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Likely Zlob variant Binary Requested (democodec1292.exe)"; flow:established,to_server; uricontent:"/democodec1292.exe"; nocase; classtype:trojan-activity; reference:url,; rev:1;)

  • patch your windows machines, and track this using WSUS (free) from Microsoft. Don't ever leave any system without the latest updates.

  • upgrade the installed softwares to the latest versions; treat them as the operating system patch process. RealPlayer and “Apple QuickTime Real-Time Streaming Protocol vulnerability” recently caused a lot of browser exploitation and got the client redirected to malicious sites.

  • keep your eyes on and add those domains in the FW blacklist or the URL filtering software and be proactive. This will close the door against any infection.

  • educate your users, by creating awareness sessions to show them how to evade such social-engineering based attacks. The weak link is the end user; train them to inform IT guys on anything strange while they are browsing, such as asking them to install this xyz antivirus to protect their machines, or that xyz video codec to watch the online video of Paris Hilton!

Saturday, March 15, 2008

DNS-redirection techniques

We talked previously about malwares fighting and containment techniques, today I’ll talk about an interesting way to prevent internal hosts from reaching malicious websites.

Malwares today are more sophisticated, and depend on multi-staged infection, which means that the current code is always updated and replaced by another to add more functions or to use new evasion techniques.

To use DNS-redirection we need to know the original problem first. Malware writer’s aim is to infect as much as possible of machines using many ways, such as Spams, Malicious web pages, or P2P infected shares. Spams and malicious web pages use domain names mostly, and obfuscated or numeric URLs. And we know that to reach any web page in the Internet, the browser needs to translate the domain name to IP.

To imagine an example, Joe received an e-mail about love cards and he as usual (we need user awareness here folks!) will follow the instructions and open the URL ( and visit it to download some lovely cards to send them to his girlfriend … but our friend didn’t realized that it’s not a legitimate cards website, but it’s a fake one that provides malicious malwares instead of cards. And at the moment he downloaded an executable faked card Boom! His computer got infected.

What we can do here to prevent the infection as early as possible? We can use the DNS server to send back “fake and not reachable” replies to the client. Such as the IP of is ( This is called the “Loopback Redirection”. With such reply, there is no way to reach this malicious site and this will give “Web site unavailable” error to the user. Good, let it be, we don’t want the user to access any malicious pages from now on.

You can implement such technique using two ways, while getting the same result. Either using the HOSTFILE, by inserting as many entries as you can with fake answers. Or use your internal DNS server (MS DNS or BIND) to create a “Malware Domains Blacklist Zone”. The latest is the best, because you have a centralized place to control name resolutions.

This is a cheap way to prevent users from accessing such domains. It’s different from Web sites filtering solutions which depend on a database contains millions of URLs and provide policy-based filtering. Here we use the DNS server, which serves every host in the network.

If you want a starting point, visit and download their free blacklists of malicious domains and import them and start prevention.

Monday, March 3, 2008

Malwares Containment: Quarantine the infected

We’ll continue today our discussion, by starting with the next step you should do after detecting the malicious traffic in your network. We should isolate infected machines from the rest of the network, the easy way is just unplug the cable and physically disconnect them. Good option, but suppose you got a lot of them, you can use your L3-switch to be a good alliance here. Create a “Quarantine Vlan” to group infected machines and prevent any type of communications from/to these machines.

This Vlan will stop broadcast and scanning for other computers. If creating Vlans is impossible for some reason, switch to plan B, ACLs. ACLs are important to stop/slow down malware propagation in your network.

Take the following Cisco Switch ACL example:

access-list 101 remark outgoing packet access list
access-list 101 permit tcp any any established
access-list 101 permit tcp any host [allowed destination] eq %protocol%
access-list 101 permit ip any host [insert %host% here]
access-list 101 deny tcp any any eq smtp
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 permit ip any any

These ACL’s will deny outbound SMTP/SMB/NetBIOS connections to other machines. You should replace [allowed destination] with any host that has to be reached by the infected machines, for example (Antivirus server, WSUS server to get windows patches), and %protocol% with destination port or protocol. [insert %host% here] is the same thing before.

Click on image to see the full size:

Isolating infected machines, will give you a lot of points:

1. Slowing the propagation of the malware from reaching other clean machines.
2. Decreasing the broadcast storms.
3. Testing disinfection procedures on these machines till you get the virus definitions from the vendor.
4. Deploy a honeypot and monitor the malware behavior and try to learn and reverse its actions.
5. Malwares today are getting more dynamic and modular by depending on
built-in downloader to update their code from the mother-ship (server), so we can use this feature to trick the infected machine to download a curing executable.
For example, if you sniffed and watched outbound connections from the infected machine targeting another host online to (, this means it’s trying to get something. Simply, hardcode the domain name in the infected machine’s HOSTFILE and redirected it to the honeypot machine or a machine running
Netcat and listening to port 80 and see the http request, if it’s an executable, we’ll mimic the server and write a batch file that contains temporary disinfecting procedures like (killing a process, deleting files, stopping services, deleting registry keys, or even installing patches), then convert the batch file to .exe and place it in the correct path on the web server and wait. This technique has been before using honeyd to fight worms (Blaster, Sasser).

Sunday, February 24, 2008

Malwares Containment: Level II

Once we monitored the network traffic and observed anything suspicious, you should follow some recommendations to keep your analysis organized and fruity. See here my favorite procedures when it comes to malicious traffic analysis:

· Use the sniffer to see the top-senders vs. destination host/destination port: here everything starts by knowing who is talking to whom and using which protocols. It’s easy to observe infected hosts by watching the “changed” behavior of them. From higher number of random generated ARP requests “ARP Storm” to DNS resolutions requests. And high SMTP traffic is another story.
see the ARP broadcast using a sniffer:

· Use the sniffer to see the full session data and take a look for any clues of what’s being sent between hosts. For example, HTTP packet could show you the requests to download files / upload files / bot-to-mothership traffic …etc. Every captured packet will be valuable to the analysis. This is like collecting the pieces of a crashed plane.

· If you got any unique pattern that keeps repeating whenever compromised hosts generate traffic, use this pattern as a “Sniffing filter” to make sniffer more specific and faster.

· Sniffers can send notifications: e-mail, page, snmp, or sms for anything shows up on the radar. For instance, if any host makes this specific http request, e-mail me!

· Getting a unique pattern will be the first step to write an IDS rule, or even a firewall rule. IDS rules writers depend on sniffers to get patterns and let the IDS look for them in a specific location in the packet and fire an alarm once it triggers.

· Save the sniffed packets and keep them for offline analysis, or even to share with other analysts on the Internet. Use “.cap”, “.tcpdump” as they are supported by most sniffers nowadays.

Here is a list of my recommended sniffers to be used:

Ok, enough talking about sniffers here. I will move on to another important player in the game, the IDS. It’s good to keep a running IDS all the time to detect what sniffers can’t see and observe. Because IDS’s have analysis engines, correlation engines, signatures, ability to reassemble packets and sessions. When I say this, I mean the IDS should be deployed in a way that can watch the IN/OUT of every network point (gatway, wifi, lans). IDS deployment should be done properly to make the IDS able to sniff and inspect every single packet in your network. Because IDS’s are basically sniffers, with additional engines and use signatures to detect attacks. So if your network contains switches, you should configure them to allow the SPAN/Monitoring port that will allow your IDS to sniff all of the traffic in your switch.

Using IDS to detect “in-the-wild” malwares depends on many factors:

- Are the signatures up-to-date to detect the latest malwares?
- Are they “generic” or “specific” signatures?
- Is the IDS deployed at the critical IN/OUT points inside your network?

To mention an example here, using Snort IDS (If you are in Kuwait – visit the Kuwait-sug) is a good start, since it’s free, sophisticated, and community supported. Installation & Deployment of Snort is out of the scope, and it has its own tutorial later.

Snort depends on signatures to detect attacks/malwares, for example see the following signature to detect one variant of the latest dominating botnet worm Storm (Later I’ll talk about it):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe)"; flow:established,to_server; uricontent:"/with_love.exe"; nocase; classtype:trojan-activity; reference:url,; sid:2007761; rev:2;)

From the signature, it’s clear that (with_love.exe) is the Storm variant executable file, and usually will be downloaded using HTTP protocol.

I received another Storm variant in my e-mail, using the name (Valentine.exe). So we can modify the previous signature to detect it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (Valentine.exe)"; flow:established,to_server; uricontent:"/valentine.exe"; nocase; classtype:trojan-activity; reference:url,; sid:2007761; rev:2;)

Another example is detecting bots outbound communication to the Command & Control server:

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1)”; flow:established; dsize:>1000; content:”00 00 00 28 0a 00 00 02 0fService Pack 100”; classtype:trojan-activity; reference:url,/; sid:2007578; rev:1;)

Watch the hex data after content; it is the traffic pattern which we get it while we sniff the bot traffic to the “Mother-ship – a.k.a C&C”

Anyway, these are just few examples to show you the great detection and visibility of malwares in your network.

To install the IDS, you should deploy it here:

- Between the Internet router and your network: Installing the IDS at this point will give “Full Visibility” of the inbound/outbound traffic of the network. To achieve this point you should use a “Network TAP”.
- Inside the DMZ: to watch the attacks those target your critical servers in the DMZ. Also, any compromised server will be detected faster than manual inspection.
- Inside the LAN: the main battlefield between malwares and system admins. You should use the SPAN port in your switches to make IDS visibility better, because switches by design don’t broadcast traffic, it depends on unicast communications. SPAN Port duplicates the traffic from the Lan ports to the port which the IDS is connected to.
see the way a sniffer/IDS is connected to a SPAN port:

To be continued ...

Thursday, February 21, 2008

The War is still on ...

You know I'm not talking about wars against terrorism, aids, or drugs. It's between Antivirus vendors vs. Virus writers. The latest in-the-wild malwares use sophisticated techniques to stay under-the-radar, and you as the end user will feel safe when your AV software shows the misleading pop-ups “No Virus Found” or “System is clean”. While the truth is, your system is damn infected with some “packed virus” or a “rootkit”. Why I say this, because today it happened with me, that one computer was infected with the “Trojan.PWS.Onlinegames.BS” virus and the AV was totally fooling me. What we should learn is don’t believe the “Silver Bullet” concept. It’s all about marketing people who always try to inject these ideas to convince customers about buying their stupid softwares. What we need is keeping a far distance between the end-user and malware, by enforcing the written policy and reviewing the results. Don’t depend on the desktop AV software alone, replace your old firewall with a good UTM appliance that got an AV module and make sure viruses stop there. Using different AV’s to protect your network and the desktops are recommended because vendors get the viruses samples from multiple places, and the faster is the better. Also, use Internet filtering solutions that can put an end for users who visit malicious sites, or even to prevent already infected machines from updating their virus files from the main servers. In the end, make sure installing more defense lines, to keep the security balance in your network. Getting a book talking about defense-in-depth will be a good start.

Monday, February 18, 2008

Malwares Containment - the basics

We talked about malware analysis on a single infected box, but suppose you got a huge number of infectecd ones, or even many vlans in your network .... I know what you are thinking, the previous tutorials were focusing on a small problem that will get bigger soon if you don't follow the basics of malware containment.

As a system admin, you should depend on many tools and techniques to fight malwares. But as malwares getting more sophisticated, and hard to detect using normal antivirus softwares, we have to build better virus resistant networks.

It's not a rocket-science if you want to understand malwares behaviour, it'll take a little of your time to discover any infection in the network by using handy monitoring tools that keep an eye on every odd event that may occure anytime.

To make it simple i'll use keywords that will be covered here: (Network Sniffer, SNMP, MRTG, Vlan ACLs, Firewall ACLs, Honeybots, Nepenthes, Snort IDS, Gateway Antivirus, Windows Domain Policy, Windows Firewall (ICS), SRP, Netwrok TAP, Host Antivirus, Antispam virus engine, Antispam attachment policy, Switch Broadcast Rules, Switch ACLs, Switch IDS Modules)

I'll mention some famous worms that got their names remembered everytime you reach a discussion about worms and thier ways to move fast and infect huge networks in hours.

  • Nimda: uses files infection, mass mailer, and lan propagation techniques.
  • Blaster: uses direct vulnerable hosts exploitation
  • Netsky: uses mass mailer
  • Storm: uses mass mailer (Social Engineering)

So to clear from where we should start monitoring to inspect infections and contain them, we have to list the points of connections:

  • Internet-to-Lans: the main gate of our network and the first point to monitor.
  • Lan-to-Internet: every host which is able to access the outside world, could be infected and trying to infect other machines, or it could be a "Bot" and trying to "call-home"; a.k.a calling the "Mother Ship".
  • Lan-to-Lan: here where we should be careful, any high rise of broadcast traffic means we got infected machines, and to contain them we can use alot of ways that I'll talk about.
  • Wireless-to-Internet: employees or guests connected to this zone are higly suspected to be infected and trying to reach other machines in the internet.
  • Wireless-to-LAN: infected wireless machines can reach the internal LAN if there are firewall/switch ACLs to deny them.
  • VPN-to-LAN: VPN users are far away to controll thier home environment, but alteast we can inspect thier machines at the gateway.
  • Branch-to-Lan: Gateway-to-Gateway VPNs are encrypted so, it's a hard task to monitor these links, and it's a considered a secure channel for viruses to move through. But we can inspect the clear traffic after the decryption process.
  • Dialup-to-Hosts: If you allow modems to be used inside your networks, you have to stop it. Because this will open a hole in your wall bybassing all your multi-thousands dollars firewalls and lets viruses in.

Ok amigo if you want to flex your muscles in front of your management claiming that your network is secure and malwares-proof ... you have to reconsider it. The latest blogs posts are showing how the current security systems are not able to defend against the latest generations of malwares and bots. So we have to use additional techniques to detect the hidden threats in our networks.

I'll list the risks that you may face in case of internal malware propagation:

  1. Computer infections: this is the first thing to think about, once any computer got infected, it'll start scanning and propagating. Due to infections, computers became unavailable, untrustful, and less productive if not productive at all.

  2. Rise of traffic utilization: this will definitely slow down network-based applications, and services. And makes networking devices busy and not responsive due to the high level of packets processing. Some old devices will start crashing and disconnecting links.

  3. Internal Denial of Service: once any server became unreachable, this is a DoS. because routers & switches will drop new packets if the memory buffer is totally full. Or even the servers themselves will get busy for example DNS, SMTP,Proxy.

  4. MX record blacklisting: If you don't control which authorised hosts are allowed to send e-mails outside, consider this point as a "knock-knock on your door". Always use ACLs to allow mail servers ONLY to generate SMTP to the internet. Leaving the door open for any compromised hosts to send Spams, will make your days of sending-and-receiving e-mails numbered. And this is against your business aims to provide 24/7 service to your users and customers.

  5. User Productivity: we know that a healthy computer will make your user happy, and productive. It's always wise to have spare machines / virtual machines to replace the infected ones. Or even in case of a complete system crash or failure, a fast recovery solution is highly recommended. For example, Symantec Backup Exec for Windows Servers / Desktops.

After listing these terrible risks, we should draw a vision on how to start putting the defenses and monitoring points.

Monitoring Points as in Military

You have to treat your network as a battlefield, install radars at the gatway, inside the internal lans, at the critical servers zone. If you want to contain a malware propagation, you have to see it, and to see it, you must sniff and monitor. Sniffers are your eyes on the wire, and it's advisable to start learning about them if you don't know. From my experience, out of ten system admins, one of them uses a sniffer!

What is the main benefit of sniffing? Is giving you the ability to spot zero-day attacks behavior in details at the network layer. But if you want to get deeper you should get a sample, run in a computer and watch. You can create filters to sniff a specific patteren on the wire, this will save time and processing. This is possible in two ways: either you get the packets patteren from the web, or you create it while the malware is in action.

For example, W32.Blackmal worm once it infected a machine, it'll contact an online statistics counter, to capture this either create a DNS request pattern filter or HTTP web request filter to this domain: Here is the capture filter used in the WildPacket OmniPeek sniffer:

Beside Sniffing, we should monitor traffic utilization 24/7 using hand tools like MRTG (Free) or PRTG ($$$) that will use SNMP to contact networking/security devices and get the interfaces current in/out bandwidth. This is very important task, because propagation means generating thousands of packets to reach all of the hosts inside and outside your network, and due to this massive number of traffic you can spot easily on the screen. Faster and more readable than sniffing, because this is the high level monitoring, next step will be the sniffing to see the details of the traffic.

See ths MRTG screen shot of the witty worm activity:

To be continued ....

Saturday, February 16, 2008

Blog Readers Statistics

Wow, today i got nice statistics from the counter, thanks for all who came and visited the blog.

Friday, February 15, 2008

Happy Valentine's day

"When Love Comes Knocking" lovely title for a message. I'm a single guy, so there is no way on earth that i could receive this from a real lover.

Well, Since there are hundereds of single guys who are recieving this every Valentine day, they well get curious about the identity of the sender, so they will definitely open the message and drink the poison slowly.

This is one of the best Spam/phishing techniques to convince people to open the mails. Because we are human beings and we like to discover new things. Discover the unkown.

This was the subject of one of the many spam mails i got everyday to my Gmail account. What was the interesting part is that the mail details was the following:

Subject: When Love Comes Knocking

Sender: <<<--- First Rule: Unknown to me


Love Remains <<<<----- Oh man, wait here we got an IP-based URL. So this is not an offical registered domain name. It should be another compromised host in the Internet. So i said to myself, this cool ... let's hunt.

Tools of the trade:

Malzilla: The night-hunters tool to discover malicous domains/IPs URLs in a safe way. You can parse links / IFrames. Decode Javascripts that hides executables behind it. No need for Vmware images anymore, unless you want to execute the real malware sample to see what will happen.

Let's get back to the mail, and see the screenshots of the analyzis (Click on the image):

after getting the suspicious, we will inspect it using Malzilla (Click on the image):

Let's discover the URL (Click on the image) :

So, after getting the malware name as "Valentine.exe" let's see what we can get from the antivirus vendor pages.

Malware type: Worm

Aliases: (Kaspersky), W32/Kipis.h@MM (McAfee), W32.Kipis.J@mm (Symantec), Worm/Mydoom.AR (Avira), W32/Kipis-H (Sophos),

In the wild: Yes

So be careful guys, follow these rules for a secure e-mail reading:

  1. Don't ever open URL's from people you don't trust.

  2. Don't ever open URL's in the form of IP like:, because this will be a compromised (malware infected) host.

  3. Install McAfee SiteAdvisor to protect against open malicious URLs / Sites

  4. Get a good Antispam software / appliance to filter unwanted e-mails.

  5. Educate your users / customers to follow the basics of secure e-mail reading.

And Happy Safe Valentines Day ... ;)

Sunday, February 10, 2008

Analyze Malware-infections on your own - part 2

Today we will continue our talk about malwares, let's go one step forward to see how exciting is once you got the malware busted in your machine, then clean it. I always call this process "CSI - Malwares Analysis" -- Not yet broadcasted folks -- . Why?, your antivirus is clueless, because either it's not up-to-date, or there are no signatures yet for that malware. You have to come to the rescue, or format the system and loss your data, configurations, forgetten files...etc. So, your job start when the antivirus stops.

Once we started inspecting processess, it dosen't mean that we have the full picture, in other words malwares have skills to hide themselves inside your machine's corners. I will give some examples:

  • The malware usually save itself inside system folders, and mostly (Windows, System32) because all of Windows system files are in this folder, so it's a tricky move thinking that savvy users will not reach those areas in thier computers unless you are a techie guy.

  • Another trick, is using Windows system files names, yes the same names. For example, svchost.exe, lsass.exe, cmd.exe, iexplore.exe, smss.exe, winlogon.exe, services.exe, csrss.exe, winlogon.exe, inetinfo.exe, ...etc. But using the same system files names dosn't mean that is't a hard job to figure it out. Take this hint, fake system files don't exist inside the orginal folders. For example, %home%\Local Settings\Application Data\smss.exe.

  • malwares can take advantage of the registry to create/modify/delete keys there to add itself to the startup process, or disabling a protection software/service, hijack explorer shell.

  • malwares can use rootkit functionalities, which will help in hiding process from the taskmanager, files from windows explorer, connections from netstat, and so on.

  • malwares can use "Polymorphism", which is basically a smart way to evade detection by encrypting the virus body and use a "Decryptor" component to decrypt the payload while the execution of the file. To go deeper, an encrypted virus consists of a virus decryption routine (VDR) and an encrypted virus body (EVB). Execution of an infected application enables the VDR to decrypt the EVB, which in turn causes the virus to perform its intended function. In the propagation phase, the virus is re-encrypted and appended onto another host application. A new key is randomly generated with each copy, thus altering the appearance of the code. However, the VDR remains constant and this is its inherent weakness, resulting in detection via signature recognition.

  • Metamorphic malwares use Mutation Engine (ME) to mutate the whole virus body to get a new shape with the same function, so it's basiclly re-alter the code and changes it's signature pattern.

  • malwares can use "Armouring", is the use of programming tricks that make disassembling, debugging and understanding of the code difficult.

After passing by these nasty ways that malwares use to hide/evade itself, i'll show you how to do advanced inspection at the machine/network level.

Starting from the machine level, using a systematic approach will make your job, more organised, professional, and error-free. This approach depends on creating a "Malware Activity log" using a text file, you can write down your findings and connect them to get the full picture and start putting the countermeasures locally and at the gateway.

To start the inspection process, you should consider the following:

  1. The infected machine may be is busy sending spams outside your network, so if you don't enforce the allowed machines which are the allowed ones to send mails outside at the firewall, this will get your MX record blacklisted and get your mails rejected by mail servers. So be aware that at least one infected machine is a big trouble maker for you. Make sure that your mail server is the only one which is allowed through the firewall.

  2. The infected machine is scanning the local subnets for other preys, so you can enable windows firewall and block "Windows File sharing" to prevent the virus from reaching the others.

  3. The infected machine may be is a Bot, and participating in a big "Botnet" as a slave that does the dirty job on behalf of the Botnet's master from DoS'ing other networks, generating spams, open proxy/mail relays, scanning machines, ... etc.

From my experiance, most of the infection cases that i've seen before, I found the malware was one of the previous cases.

Your Arsenal of tools

We talked about "Process Explorer" before, but you need more tools for your forensics-arsenal. I'll categorize this toolkit to make sure we cover all Windows compnonets:

  1. Portable Process managers: these managers will help you dig deeper and catch running viruses and collection information about (image path / strings / tcp/ip / ..etc)

  2. Portable File managers: these managers will help exploring windows files system, and find files because malwares usually disable alot of Windows Explorer settings.

  3. Portable Registry managers: these managers will help accessing the registry, read, add, delete, and modify keys.

  4. Portable Anti-rootkits: discover and expose hidden processes/files/tcp/ip connections/services/registry keys/kernel modules/ and alot that "Task Manager" and "Process Explorer" will not.

  5. Portable Antivirus: Don't always trust the running AV, because it could be corrupted, deleted, uninstalled, stopped, disabled.

  6. Portable Hashers: hashers will help when you want to verify files hashes for modifications.
    Portable Compressors: to compress files incase you want to backup files /submit a virus sample.

  7. Portable Sniffers: malwares do alot of traffic that may help you to discover what it's trying to do (ex. SMTP "SPAM" / DNS queries / Netbios-SMB "Access other computers shares / IRC "Botnet" / P2P "Botnet" / HTTP "Botnet - download other codes - register online").

  8. Portable Browsers: IE may be got currpoted, insecure, or unaccessible.

  9. Portable AutoRun monitors: these will reveal alot of viruses that try to run next time your reboot the system. 30% of your analysis depends on these monitors.

  10. VirusTotal Uploader: this nifty tool will help you upload any file to and scan it agains 25 AV engine.

After listing our toolskit, let's see the "Analysis Path" that usuall you should consider to recover your system back:

click on the figure to see the large one

From the figure, it's obvious that analysis should take place from left-to-right starting from :

  • discovering processes
  • check for registry modification
  • check tcp/ip listening ports / initiated connections
  • taking process discovery to the next level by using sophisticated anti-rootkits that will usually reveal hidden objects from the OS
  • inspecting system services for modifications (new services, stopped services)
  • Virus scan is a primary task here because our main purpose is to clean the system but sometimes the antivirus will not be ready if the virus is hidden perfectly, so killing the main virus process that hides the child processes /files will clear out the dust and make it easier for cleaning
  • provides a free services to upload sample files to scan it against 25 engines that will give the virus name
  • Threatexpert provides online virus-sandbox services in which you submit a sample, and it'll get executed inside a controlled environment then reporting what Windows API calls it makes
  • After building a full picture of what's going on in your system, it's the time for complete cleaning (delete malwares files, deleting registry keys, restting registry keys to the orginial state, fixing windows shell keys, fixing windows explorer folder options, gaining access to system tools (registry/cmd.exe/taskmanager/...etc), restting IE security settings, full scan under safe-mode, full boot scan, monitor system activity for any malicious behavior.
  • If your antivirus was not able to catch the virus in the begining this means that it lacks the full signatures to detect it. Or this is a new variant that employs new techniques to hide itself from AV. Most Vendor have online submissions forms or by e-mail to send them these samples and they should update their definitions to detect this virus next time.

The Hunting Begins

To protect our tools-kit from infections, we should use a flash disk - with "Write-protection lock." To keep it as a read-only media only. From many cases, I noticed that malwares try to copy itself to the flash drive, by getting Windows access denied errors - because the disk is protected - so your flash will be shielded against infection.

Incase you can't use a flash-disk, you can burn out the toolkit to RW-CD, so it'll will be easy to add more tools in the future, or update the current versions. You have to be always up-to-date with the latest security tools to fight malwares.

I'm talking about normal situations when Windows is in operation and you can access it. But to expect the worse, we should be ready to access it offline. Yes offline, means accessing using a bootable Windows CD that also contains the previous tools. What this will help us is:

  • Highly sophisticated rootkits will be in Sleeping-mode, means it's not executed and we can detect it normally, delete it, then go back to Windows and complete the job.
  • Malwares some times destroy Windows boot files, registry that makes windows unaccessible and we have to fix it by copying the system files again, and start the analysis process.
  • Human mistakes, when you modify the registry you have to be careful from harming the system, a single mistake could make Windows unbootable next time. Always take back up, I recommend "ERUNT".

Too be continued ....