Monday, June 30, 2008

Firefox vs. Opera: Anti-phishing Review

The war is still burning between Opera Vs FF, and they have improved the code to secure the user’s online life. As working with security products as a daily basis task, I have the habit of testing their capabilities to approve what they are suppose to protect against. Sometimes when you put anything to the test, you’ll get surprising results and mostly disappointing. Today, I got two contenders, Opera 9 and Firefox 3. We heard some claims about their readiness to stop the bad. I’m not sure if this is the correct way to benchmark both of them. But my test was simple, as simulating a normal user who received a phishing spam which contains a link to a fake website such as, Paypal.

The Test:




URL: hxxp://



URL: hxxp://



URL: hxxp://



URL: hxxp://



URL: hxxp://



URL: hxxp://







What makes Opera 9 better than FF in my opinion? Is the higher number of blocked websites, plus the warning notification when a fraud website is detected. While FF is not blocking any of them and there is no notification except that it's not receiving the identify information of the site.

Download both of them and try the test by yourself:

Opera 9

Firefox 3


Saturday, June 28, 2008

Book Review: Endpoint Security

I've just finished reading this book by Mark Kadrich, and I have to admit that it's highly informative and focus on the pain points. We are fighting malwares everyday and spending millions of dollars on solutions built to stop known attacks and fail to stop the unknown. I'd like to share with you some interesting quotes from the book:

(I’m not aware of any SOx template that ever stopped a worm. Granted, it was a great
example of “find a need and fill it” mentality, but it also gave many people the false
impression that being SOx compliant meant being secure.)


(How can this be? We have antivirus! We have firewalls! We have IDSs! We have
authentication systems! We have HIPAA, SOx and let’s not forget GLBA! With all this
heavy artillery, how can the evil worms of war still manage to break through our
defenses? Why do we have systems infected with bots? How can we have all this security
and still have a polluted network

What we can understand from this?

I think the problem is either the current security standards are not as effective as before to stop malwares, or we are not implementing them correctly. A security standard will give you the foundation of the whole security architecture which your network needs. If you don't follow the book, it's your problem. I've seen many security administrators who give no attention to patch machines properly. Or even, check the firewall logs to observe any botnet activity!. Such case, is a big example of how malwares manage to penetrate your defenses to infect the endpoints.

I'll give you some tips from my daily work:

To stop malwares we need to close all the holes, which are:

1) Internet - We have different sources of risks, so let's break them down:

Websites: Install a content filtering solution (e.g, Websense)
Spam: Install a respected antispam solution (e.g, Bordware MXstream, Cisco IronMail)
P2P: Block these applications using a firewall or IPS. Or even prevent the installation of them at all.
Malwares: Block risky ports on the FW. Deploy a network IPS. Deploy a gateway Antivirus (HTTP scanning)

2) Removable drives - these devices are "Mobile Mass Infections" weapons, which I'll never allow them during my watch.

The only countermeasure against them is device blocking policies using some software that will give a full control of them.

The list still not yet finished, please keep reading:

- Patch management strategy: OS + Applications patching. 80% of malwares are targeting a specific vulnerability in your system. I always say "A patched machine with a real IP is safer than unpatched one behind a 100 FW".

- Browser security: Get a secure browser (FF3 or Opera9). Read my lips: No *F* ActiveX anymore!

- Network Access Control: check Cisco NAC or Symantec SNAC solutions.

- User Awareness: e-mails with some cartoons, sessions, screenshots of malicious activities and how to report them.

- Training and reading: If your admin spends his day playing "FreeCell", it's the time to level up his knowledge. Because an ignorant admin will decrease the value of any security solution. Most customers will utilize 40% of the solution because their lack of knowledge on how to use the advanced features which may help them to compact the original problem.
here's the link for the book on Amazon. Click here
I'm done here,

Saturday, June 21, 2008

USB dongle auto malwares scanning with clamav

How many of you folks use a USB dongle for his daily tasks? I think most of you, but since this blog is about security & malwares. Today, I’m going to show you a trick using a windows batch file and the portable version of clamav for arming your dongle when you have to copy/move files in a non-secure environment. For me personally, when I need to get a new/additional USB dongle, I prefer the ones that have read-write protection. This is a very effective way to protect your USB when you need to transfer files between you laptop for instance, and other machines. But suppose yours doesn’t support this feature. You need to create some kind of armor around it.

Let’s work:

1) Get the latest copy of ClamAv_Portable for Windows. Download Here (install and rename the folder to ClamWinPortable)

2) Copy the following batch and call it (scan.cmd):

@echo off
set @1=%cd%
echo Updating ClamAV definitions ...
.\ClamWinPortable\App\clamwin\bin\freshclam -v --config-file=".\ClamWinPortable\App\clamwin\bin\freshclam.conf" --datadir="\..\ClamWinPortable\Data\db"
echo Scaning USB for Malwares ...
.\ClamWinPortable\App\clamwin\bin\clamscan.exe --database=".\ClamWinPortable\Data\db" -v --show-progress -u -k --bell --remove -i --detect-broken -l scan-resultes.txt %cd%
explorer.exe %cd%

3) Copy the following auto run instructions and save it as (autorun.inf):


Copy all of these files to the root of your USB dongle, then close the windows, reopen it again and see the magic.

Wednesday, June 18, 2008

Zlob says: You look really stupid !

Zlob trojan never give up, it's using a multi-directions strategy to infect as much as of systems. We talked recently about one of it's attacks against non-secure wireless/wired routers in the Internet which are left with default passwords. Nowadays, Zlob is trying to use some social engieering tricks, by sending spam e-mails with the subject line (You look really stupid) and the body contains a url to a fake video file with the extension (exe) !

Checklist for system admins:

  1. Make sure the current antispam is updated with the latest signatures.
  2. Make sure the current antivirus is deployed/updated on all machines. Verify if your vendor is already providing defintions to detect trojan.Zlob and it's variants.
  3. Deploy some URL/websites filtering solution to block malicious URLs (e.g Websense). If you already have one installed, create a policy to deny access to any URL which contains video.exe/video1.exe.
  4. Turn on antivirus scanning on your gateway firewall, and if it doesn't support this. It's the time to replace it by a decent UTM (e.g Fortigate / Juniper / ASA).
  5. User awareness is on your side, send a periodic e-mail which talks about spams, malwares, and other Internet threats. Try to use a simple and friendly language. Also, use a cartoon that talks about computer security to add the sense of humor to it.
  6. If you are already running Snort, use this signature to detect the download of the fake video executable: (You need to change the rule to detect different variants like video.exe, video1.exe, or video2.exe ...etc)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan.Zlob Binary Requested (video.exe)"; flow:established,to_server; uricontent:"/video.exe"; nocase; classtype:trojan-activity; reference:url,; rev:1;)

other posts about Zlob:

Friday, June 13, 2008

Use default password, get hijacked

As the title says, use default password on your wireless/wired routers and wait for the new variant of the "Zlob" trojan to infect some machines, then try every default router username/password combinations from Or even check this text file, search for your current user/pass to make sure they are not in the list.

Zlob (or as known DNSChanger) will modify the DNS settings to use other rogue DNS servers. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites.

Countermeasures against DNSChanger:

  1. Change your router default password to something complex. Make sure it's long, and contains symbols and numbers.
  2. Configure your router to allow management access from specific machine only (e.g, Admin PC), this will prevent infected machines from reaching your router.
  3. Update the current firmware to fix any security issues.
  4. If possible, change the management port to something else. (e.g, port 80/443 to 555)
  5. Configure Syslog/SNMP on the router to watch any configuration modifications or failed login.
  6. Rename the admin account on the router, Or see next.
  7. Disable/delete admin account, and create another one with different name and password.
  8. Deploy an IDS on your network to detect malicious activities (e.g, router user/pass brute force attack / requests to rogue dns servers / video codec downloads )
  9. Deploy an URL filtering software/appliance that filters access to any malicious websites/pages that provides codec/fake codecs.
  10. Disable UPNP on your router, becuase it's not secure anymore. check here:
  11. Block access to these IP's ( /
  12. Use Purenetwork Security scan for wireless networks,
  13. Keep your machines up-to-date. Most malwares targets a specific vulnerability to reach the system.
  14. Get legitimate video codecs, install them on your machines, and inform your users that their machines are ready to play any video format and there is no need to download codecs from untrusted sites. check
Safe browsing ... :)

Tuesday, June 3, 2008

Stop malwares using device control: A real life experience

If your one of those administrators who hardly try to keep their networks clean and prevent the next malware from infecting their systems, this is definitely for you…

Spending thousands of dollars on security solutions to protect the enterprise from the outside alone is an outdated concept. If you want to ask anyone works in the security arena? What are the main sources of malwares today? He’ll probably answer this: e-mail spam, websites, and removable drives. I’ve been dealing with anti-anything (malwares, viruses, worms, rootkits) since a long time, and I used to judge on the network security from the antivirus server logs and reports. Because these logs will give a lot of details, such as the name of virus, the path on your system, from where it came, etc. And most of the time, I see viruses detected inside the removable drive root folder. And thanks to Windows “Auto Play”, which is used to inspect the type of files and choose the suitable software to open them. With this, malwares are getting executed every time you plug your flash drive in your computer. So to start talking about this, many vendors today start to provide additional module to their software which controls local system devices based on a policy. For example, Symantec Endpoint Protection 11 is my choice today to protect endpoints. I can block every single device/interface in the machine. Such as USB dongles, Bluetooth, PCMCIA, wireless, ports, com, etc. I had one customer who was struggling to stop malwares, and depending on the installed AV alone was a losing game. So I checked the daily logs of the AV server, and I was surprised due to the high number of viruses which had been detected on users' USB dongles!.
I have to admit that this customer is more happier than before, because malware infections have decreased by 70% once we blocked all insecure devices.
A replacement for using USB dongles inside corporate network is using a secure file sharing server which has multi-antivirus scanner installed to check for infected dongles and heal them. Then the user copies/moves his files to/from this server without endangering the LAN. His company has accepted this and the life is still going with/without USB dongles :)