Monday, May 17, 2010

Malware Defense-in-Depth 2.0

As the sophistication of malware continues to increase, coupled with the expansion of Web 2.0 technologies and increased browser-based risk, malicious code is on the rise. Implementing a defense-in-depth strategy will help enterprises address zero-day threats by blocking installation of malicious files on endpoints with an improved approach to provide multi-dimensional protection against current and future malware threats.

Saturday, November 21, 2009

Snort IDS GCC User Group

I've been working with folks at Sourcefire - Middle East to help me create a Snort Users Group in the gulf region, and I'm finally ready to announce the launch of GCC (Gulf Cooperation Council) Snort Users Group. Every Snort fan in GCC is welcome to join us.

For Registration:

Tuesday, March 10, 2009

Winner of Master T-Shirt in Experts-Exchange

I am glad to publish the news that I have been chosen as the winner of Master T-Shirt in Experts-Exchange. I am currently in the Master rank in Antivirus zone. For more details, you can select the 'My Experts-Exchange Profile' in the right navigation widget of this weblog.I am publishing the Experts-Recognition appreciation email that I have recieved today

Friday, February 13, 2009

SecurityFocus Interview

This is an interview with me from SecurityFocus about Conficker/Downadup worm

Thursday, January 22, 2009

Beat Downadup/Conficker like a pro: My story from the field

Since there are many websites talked for days about Conficker/Downadup. Today, I have something different especially for system admins.
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.

My plan was to build a barrier around critical servers, then move forward. By making sure that every running system is already protected by the current AV software (Symantec Endpoint Protection) that was already blocking the attack successfully. It was not a big hit, because 98% of the systems were protected by SEP, which has decreased the number of infected systems. Cheer up people; I've created a windows batch that would reverse and cure side-effects of Downadup:

1) Re-enable and start the following services:

Background Intelligent Transfer Service
Windows Automatic Update Service
Windows Security Center Service
Windows Defender Service
Windows Error Reporting Service

2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period)

3) Run Symantec FixDownadup tool

5) Reboot system

This batch covers the following OS versions:

1) Windows 2000
2) Windows XP
3) Windows 2003
4) Windows Vista SP0/SP1
Note: Some OS versions or 64-bit are not supported by this batch, may be soon.

To start working, first we need to download the required patches + fix tool:

Symantec FixDownadupTool:
Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users). And you can use Psexec ( to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

Here is for example, the Vista OS part (from the batch):
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit

Download Batch (MSN SkyDrive Hosting, Right-click & save won't work. Follow the link then click on the white file in the left)

Good Luck

Wednesday, December 31, 2008

kaminsky's DNS bug + Rogue CA Certificates = Trust No One

If there has been any missing part in most of the previous clever and sophisticated phishing attacks, it would be a valid SSL certificate signed by a valid CA.

Recently, a smart group of cryptography researchers have successfully exploited a bug in the MD5 hashing algorithm that allows them to hack VeriSign's certificate authority and create fake digital certificates for any Web site on the Internet.

I won't talk about their findings here; you can check it out here:

Today I'll draw the attention to a couple of possible attack scenarios that Phishers and malware authors can use by combining techniques that would be very difficult to stop unless a number of defenses is being used against.
The techniques of this attack are:

1) DNS Cache Poisoning Attack (For directing victims to fake sites like banks)

2) SQL injection Attack (For injecting IFrame redirectors into high traffic website, to redirect visitor to the fake website)

3) Double Flex Network (botnet) that would host malicious name servers (malicious/phishing websites resolution) and webservers (host the malicious/phished site)

4) Rouge CA SSL Certificates (For fooling victims who are visiting a website that is secured by using a valid SSL certificate, and the browser is showing a padlock indicating that it's a safe and legitimate website)

So, hackers have multiple targets to meet to launch a perfect attack. Well, the first three techniques are being used nowadays, but were lacking a very important member in the crew, Trust.
Before, nobody was able to break the trust rule and build a complete, flawless phishing attack. Now they can generate any valid certificate and make their phishing bank websites appear legitimate and secure. End user who is dealing with secure online transactions will be comfortable when he sees the padlock and there are no warning signs about website identity.
Countermeasures for (Website Admins):
1) Replace MD5-based SSL certificates, with SHA-1 certificates because they are more secure.
2) Use Extended Validation certificates (EV).
Countermeasures for (CA):
1) Stop issuing MD5-based SSL certificates, and replace them with SHA-1 certificates
2) Encourage customers to replace their MD5-certificates with SHA-1 certificates
3) Encourage customers to upgrade their certificates to Extended Validation (EV) for more security. See
4) Monitor "Certificate Signing Requests" by the same user in quick succession
5) Add randomness to the certificate fields, like the serial number field.
Countermeasures for (Users):
The basics:

1) Padlock appearance is not enough, you should move on with other ways to make sure your visiting the legitimate and secure website.

2) Upgrade your browser to the latest version (IE 8 / FF 3 / Opera 10) to use their built-in anti-phishing capabilities.

3) Install good endpoint security software to stop malwares, and make sure it's updating definitions daily. The latest versions includes online security features like (Norton Internet Security 2009 and Kaspersky Internet Security 2009)

4) Install Windows patches and service packs to stop malwares and online attacks from exploiting any vulnerability in your system.

5) Install and updates all ActiveX components in your browser by upgrading the original software (ex. PDF reader ActiveX, you should upgrade Adobe Reader. Real player embedded ActiveX; you should upgrade RealPlayer…and so on). You can use Secunia Personal Software Inspector (PSI) to scan your system for insecure softwares and utilities.

The Advanced:

If you want to do any online transactions, use Authentium’s SafeCentral to create a secure session between a locked-down browser and your online bank. It has capabilities to defend against the following attacks: Keyloggers, Spywares, DNS poisoning, Malwares, Sniffing, Man-in-the-middle
Visit their website: