tag:blogger.com,1999:blog-48363751107692050762024-03-05T02:48:18.681-08:00Extreme Security -- Do It Securely or Not at all !Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-4836375110769205076.post-71492924119704184432010-05-17T13:35:00.001-07:002010-05-17T13:35:17.128-07:00Malware Defense-in-Depth 2.0As the sophistication of malware continues to increase, coupled with the expansion of Web 2.0 technologies and increased browser-based risk, malicious code is on the rise. Implementing a defense-in-depth strategy will help enterprises address zero-day threats by blocking installation of malicious files on endpoints with an improved approach to provide multi-dimensional protection against current and future malware threats.<div style="width:425px" id="__ss_4127757"><strong style="display:block;margin:12px 0 4px"><a href="http://www.slideshare.net/aqarta/malware-defenseindepth-20" title="Malware Defense-in-Depth 2.0">Malware Defense-in-Depth 2.0</a></strong><object id="__sse4127757" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=malware-defense-in-depth-100517135305-phpapp02&stripped_title=malware-defenseindepth-20" /><param name="allowFullScreen" value="true"/><param name="allowScriptAccess" value="always"/><embed name="__sse4127757" src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=malware-defense-in-depth-100517135305-phpapp02&stripped_title=malware-defenseindepth-20" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="355"></embed></object><div style="padding:5px 0 12px">View more <a href="http://www.slideshare.net/">presentations</a> from <a href="http://www.slideshare.net/aqarta">Aaed Alqarta</a>.</div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-45335218155724783962009-11-21T09:20:00.000-08:002009-11-21T11:49:35.377-08:00Snort IDS GCC User GroupI've been working with folks at<a href="http://www.sourcefire.com/"> Sourcefire </a>- Middle East to help me create a Snort Users Group in the gulf region, and I'm finally ready to announce the launch of GCC (Gulf Cooperation Council) Snort Users Group. Every Snort fan in GCC is welcome to join us.<br /><br />For Registration:<br /><br /><a href="https://lists.snort.org/mailman/listinfo/gcc_sug">https://lists.snort.org/mailman/listinfo/gcc_sug</a>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-77236127436999184592009-03-10T08:00:00.000-07:002009-03-10T08:08:09.685-07:00Winner of Master T-Shirt in Experts-Exchange<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVxEPi5r2grZydX5ut-qTuO1Xp2FZzrcS2ucxigX8oJxZYvJFNgTt9FhyphenhyphenwxOkTNi9xs_ZGNe2SR1c93igctGrkqZ9iidBA-lZGWmjIUtG2Oa0UWwSfkjGzbOxY4V4czyR2sA-pxvJAOhPX/s1600-h/x.jpg"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 246px; FLOAT: left; HEIGHT: 320px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5311574698057254386" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVxEPi5r2grZydX5ut-qTuO1Xp2FZzrcS2ucxigX8oJxZYvJFNgTt9FhyphenhyphenwxOkTNi9xs_ZGNe2SR1c93igctGrkqZ9iidBA-lZGWmjIUtG2Oa0UWwSfkjGzbOxY4V4czyR2sA-pxvJAOhPX/s320/x.jpg" /></a><br /><br /></div><div></div><div><br /></div><div></div><div><br /></div><div> </div><br /><div><span style="font-size:130%;">I am glad to publish the news that I have been chosen as the winner of Master T-Shirt in Experts-Exchange. I am currently in the Master rank in Antivirus zone. For more details, you can select the 'My Experts-Exchange Profile' in the right navigation widget of this weblog.I am publishing the Experts-Recognition appreciation email that I have recieved today</span></div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div><br /></div><div></div><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 320px; DISPLAY: block; HEIGHT: 190px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5311575497368551746" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr_10CypUMrF16giM5rqQnerE7vIt6JBrV4tIc9sQMW6sfhM76fNNuGaCNPmib2H7yleUUwrDc7ZHFWguRxOWEbtA6iZrF3Tkk0V3SUImxfq8w5Q-jpwLJb7gXg_4JztPpDlwmQvJhZEXe/s320/cert.jpg" /><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div><br /><div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-13873158875664402622009-02-13T00:13:00.000-08:002009-11-06T15:18:28.589-08:00SecurityFocus Interview<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9ZUZVyR1uKY0qp_1au7olpnBSVoiC00FE8TyVFmHZ0-89pR0xlB9H4PlB8ZQxLaJhE9-oIwLZRRzmAgkS_HsKHgF2cGGDl_8YTrnLdWRVMLElNMZ1qWhnHwBquEDDdiphbxUphcMO7Is3/s1600-h/icon_securityfocus.jpg"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 212px; FLOAT: left; HEIGHT: 198px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5401132295283353058" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9ZUZVyR1uKY0qp_1au7olpnBSVoiC00FE8TyVFmHZ0-89pR0xlB9H4PlB8ZQxLaJhE9-oIwLZRRzmAgkS_HsKHgF2cGGDl_8YTrnLdWRVMLElNMZ1qWhnHwBquEDDdiphbxUphcMO7Is3/s400/icon_securityfocus.jpg" /></a><br /><br /><div></div><br /><br /><div></div><br /><div><a href="http://www.securityfocus.com/news/11546/2">This </a>is an interview with me from SecurityFocus about Conficker/Downadup worm</div><br /><div></div><br /><div></div><br /><div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-52279349174602721552009-01-25T11:51:00.000-08:002009-01-25T12:25:13.139-08:00Recommended Readings: Latest security books<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ynfZ9kh10T0buj1xDN4ljXDCXrsZBl4cn-zYfgKqGMYUmBzcM64at-iCxqPVj8fxSNds0Lw8xSJJtUke_iLAaf_dLXtLCEsZfSlg-pfr2BGXh3iTD7Q8tHo4PUrkOI0NMMCUbupVgh4g/s1600-h/books.jpg"><img id="BLOGGER_PHOTO_ID_5295325798708755234" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 277px; CURSOR: hand; HEIGHT: 302px" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ynfZ9kh10T0buj1xDN4ljXDCXrsZBl4cn-zYfgKqGMYUmBzcM64at-iCxqPVj8fxSNds0Lw8xSJJtUke_iLAaf_dLXtLCEsZfSlg-pfr2BGXh3iTD7Q8tHo4PUrkOI0NMMCUbupVgh4g/s320/books.jpg" border="0" /></a><br /><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div>I recommend reading the following books, becuase they are focusing on malwares, except Nmap network scanning, I know but it's a good addition to your bookshelf.<br /><br /></div><div></div><div></div><div></div><div>1) <a href="http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717?&camp=212361&linkCode=wey&tag=extreme04-20&creative=380733">Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning </a></div><div></div><div></div><div><br /><br /></div><div>2)<a href="http://www.amazon.com/Malware-Forensics-Investigating-Analyzing-Malicious/dp/159749268X?&camp=212361&linkCode=wey&tag=extreme04-20&creative=380733">Malware Forensics: Investigating and Analyzing Malicious Code </a></div><div></div><div><br /><br /></div><div>3) <a href="http://www.amazon.com/HACKING-EXPOSED-MALWARE-ROOTKITS-Michael/dp/0071591184?&camp=212361&linkCode=wey&tag=extreme04-20&creative=380733">HACKING EXPOSED MALWARE AND ROOTKITS</a> </div><div></div><div><br /><br /></div><div>4) <a href="http://www.amazon.com/Mobile-Malware-Attacks-Defense-Dunham/dp/1597492981?&camp=212361&linkCode=wey&tag=extreme04-20&creative=380733">Mobile Malware Attacks and Defense</a> </div><div></div><div><br /><br /></div><div>5) <a href="http://www.amazon.com/Crimeware-Understanding-Attacks-Defenses-Symantec/dp/0321501950?&camp=212361&linkCode=wey&tag=extreme04-20&creative=380733">Crimeware: Understanding New Attacks and Defenses </a></div><div><br /><br /></div><div>Happy Reading :) </div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-71866231866349042242009-01-22T09:23:00.000-08:002009-01-23T02:10:45.588-08:00Beat Downadup/Conficker like a pro: My story from the field<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNyTgt4Q563TCWRT3trYISz57OwimQGl36zf38bsEgj6x6K7PwuzF8Te16S7KUN96RrS5pzE6aESZmnxkQEYSBpA3bLo5NoryQ_njz4fXsExUhDopXnOXsYt4yMRqzzd8odGepPRagdGeE/s1600-h/worm.jpg"><img id="BLOGGER_PHOTO_ID_5294207141101975714" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 304px; CURSOR: hand; HEIGHT: 306px" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNyTgt4Q563TCWRT3trYISz57OwimQGl36zf38bsEgj6x6K7PwuzF8Te16S7KUN96RrS5pzE6aESZmnxkQEYSBpA3bLo5NoryQ_njz4fXsExUhDopXnOXsYt4yMRqzzd8odGepPRagdGeE/s320/worm.jpg" border="0" /></a><br /><div><br /></div><br /><div></div><br /><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div>Since there are many websites talked for days about Conficker/Downadup. Today, I have something different especially for system admins.<br />I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down. </div><div><br />My plan was to build a barrier around critical servers, then move forward. By making sure that every running system is already protected by the current AV software (Symantec Endpoint Protection) that was already blocking the attack successfully. It was not a big hit, because 98% of the systems were protected by SEP, which has decreased the number of infected systems. Cheer up people; I've created a windows batch that would reverse and cure side-effects of Downadup: </div><div><br />1) Re-enable and start the following services:<br /><br />Background Intelligent Transfer Service<br />Windows Automatic Update Service<br />Windows Security Center Service<br />Windows Defender Service<br />Windows Error Reporting Service<br /><br />2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period) </div><div><br />3) Run Symantec FixDownadup tool </div><div></div><div>(<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99">http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99</a>) </div><div><br />4) Install <strong>MS08-067</strong> (<a href="http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx">http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx</a>) </div><div><br />5) Reboot system </div><div><br />This batch covers the following OS versions: </div><div><br />1) Windows 2000<br />2) Windows XP<br />3) Windows 2003<br />4) Windows Vista SP0/SP1<br />Note: Some OS versions or 64-bit are not supported by this batch, may be soon. </div><div><br />To start working, first we need to download the required patches + fix tool: </div><div><br />Windows 2000: <a href="http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE">http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE</a> </div><div><br />Windows 2003: <a href="http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe">http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe</a> </div><div><br />Windows XP: <a href="http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe">http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe</a> </div><div><br />Windows Vista SP0 + SP1: <a href="http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu">http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu</a> </div><div><br />Symantec FixDownadupTool: <a href="http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe">http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe</a><br />Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users). And you can use Psexec (<a href="http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx">http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx</a>) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin. </div><div><br />Here is for example, the Vista OS part (from the batch):<br />….<br /><span style="font-size:85%;">:ver_vista-sp0<br />echo Enabling BITs ...<br />sc config bits start= auto<br />echo Starting BITs ...<br />net start "Background Intelligent Transfer Service"<br />echo Enabling Automatic Updates ...<br />sc config Wuauserv start= auto<br />echo Starting Automatic Updates ...<br />net start "wuauserv"<br />echo Checking MS WSUS for any missing updates ...<br />wuauclt.exe /detectnow<br />echo Enabling Windows Security Center Service (wscsvc) ...<br />sc config wscsvc start= auto<br />echo Starting Windows Security Center ...<br />net start wscsvc<br />echo Enabling Windows Defender Service (WinDefend) ...<br />sc config WinDefend start= auto<br />echo Starting Windows Defender ...<br />net start WinDefend<br />echo Enabling Windows Error Reporting Service (WerSvc) ...<br />sc config WerSvc start= auto<br />echo Starting Windows Error Reporting ...<br />net start WerSvc<br />echo Fixing Downadup infection ...<br />\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt<br />copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt<br />echo Patching MS08-067 ...<br />\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart<br />echo Rebooting System in one minute ...<br />shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"<br />goto exit<br />…. </span></div><span style="font-size:85%;"></span><br /><p><span style="font-size:85%;"><a href="http://cid-f790ac08c17bf7fa.skydrive.live.com/self.aspx/.Public/Clean-Downadup-v1.bat" target="_new">Download Batch</a></span><span style="font-size:85%;"> (MSN SkyDrive Hosting, Right-click & save won't work. Follow the link then click on the white file in the left)<br /><br />Good Luck </p></span>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-15784347346826630612008-12-31T20:51:00.000-08:002009-01-01T03:17:22.877-08:00kaminsky's DNS bug + Rogue CA Certificates = Trust No One<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7FvWB8b4gtOCoNau-csYuXsHUeDKVs_yBv2F77cYbmSpd2YEhyphenhyphenizj087XqYFa-097pluGLiNNbEozxpjaOdskSAfRD5HuRMhbQ3Cpmb2TgG4Z6Hg_pBItyEqZV_hgMeban9Tr0w5owSQQ/s1600-h/team.png"><img id="BLOGGER_PHOTO_ID_5286192178980158610" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 320px; CURSOR: hand; HEIGHT: 207px" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7FvWB8b4gtOCoNau-csYuXsHUeDKVs_yBv2F77cYbmSpd2YEhyphenhyphenizj087XqYFa-097pluGLiNNbEozxpjaOdskSAfRD5HuRMhbQ3Cpmb2TgG4Z6Hg_pBItyEqZV_hgMeban9Tr0w5owSQQ/s320/team.png" border="0" /></a><br /><div></div><div></div><div></div><div></div><div></div><div>If there has been any missing part in most of the previous clever and sophisticated phishing attacks, it would be a valid SSL certificate signed by a valid CA. </div><div><br />Recently, a smart group of cryptography researchers have successfully exploited a bug in the MD5 hashing algorithm that allows them to hack VeriSign's <a href="http://www.rapidssl.com/index_ssl.htm" target="_blank"><strong>RapidSSL.com</strong></a> certificate authority and create fake digital certificates for any Web site on the Internet.</div><div><br />I won't talk about their findings here; you can check it out here: <a href="http://www.win.tue.nl/hashclash/rogue-ca/">http://www.win.tue.nl/hashclash/rogue-ca/</a></div><div><br />Today I'll draw the attention to a couple of possible attack scenarios that Phishers and malware authors can use by combining techniques that would be very difficult to stop unless a number of defenses is being used against.<br />The techniques of this attack are: </div><div><br />1) <strong>DNS Cache Poisoning Attack</strong> (For directing victims to fake sites like banks)</div><div><br />2) <strong>SQL injection Attack</strong> (For injecting IFrame redirectors into high traffic website, to redirect visitor to the fake website)</div><div><br />3) <strong>Double Flex Network</strong> (botnet) that would host malicious name servers (malicious/phishing websites resolution) and webservers (host the malicious/phished site)</div><div><br />4) <strong>Rouge CA SSL Certificates</strong> (For fooling victims who are visiting a website that is secured by using a valid SSL certificate, and the browser is showing a padlock indicating that it's a safe and legitimate website)</div><div><br />So, hackers have multiple targets to meet to launch a perfect attack. Well, the first three techniques are being used nowadays, but were lacking a very important member in the crew, <em>Trust</em>. </div><div></div><div></div><div></div><div>Before, nobody was able to break the trust rule and build a complete, flawless phishing attack. Now they can generate any valid certificate and make their phishing bank websites appear legitimate and secure. End user who is dealing with secure online transactions will be comfortable when he sees the padlock and there are no warning signs about website identity. </div><div></div><div></div><div></div><div></div><div></div><div> </div><div> </div><div>Countermeasures for (Website Admins): </div><div> </div><div> </div><div></div><div></div><div></div><div>1) Replace MD5-based SSL certificates, with SHA-1 certificates because they are more secure.</div><div></div><div>2) Use Extended Validation certificates (EV).</div><div></div><div></div><div></div><div> </div><div> </div><div>Countermeasures for (CA):</div><div> </div><div> </div><div></div><div></div><div>1) Stop issuing MD5-based SSL certificates, and replace them with SHA-1 certificates</div><div>2) Encourage customers to replace their MD5-certificates with SHA-1 certificates</div><div>3) Encourage customers to upgrade their certificates to Extended Validation (EV) for more security. See <a href="http://www.verisign.com/ssl/ssl-information-center/extended-validation-ssl-certificates/">http://www.verisign.com/ssl/ssl-information-center/extended-validation-ssl-certificates/</a></div><div>4) Monitor "Certificate Signing Requests" by the same user in quick succession</div><div>5) Add randomness to the certificate fields, like the serial number field. </div><div> </div><div> </div><div></div><div></div><div></div><div></div><div></div><div>Countermeasures for (Users): </div><div> </div><div></div><div></div><div>The basics: </div><div><br />1) Padlock appearance is not enough, you should move on with other ways to make sure your visiting the legitimate and secure website. </div><div><br />2) Upgrade your browser to the latest version (IE 8 / FF 3 / Opera 10) to use their built-in anti-phishing capabilities.</div><div><br />3) Install good endpoint security software to stop malwares, and make sure it's updating definitions daily. The latest versions includes online security features like (Norton Internet Security 2009 and Kaspersky Internet Security 2009)</div><div><br />4) Install Windows patches and service packs to stop malwares and online attacks from exploiting any vulnerability in your system.</div><div><br />5) Install and updates all ActiveX components in your browser by upgrading the original software (ex. PDF reader ActiveX, you should upgrade Adobe Reader. Real player embedded ActiveX; you should upgrade RealPlayer…and so on). You can use Secunia Personal Software Inspector (PSI) to scan your system for insecure softwares and utilities. </div><div><br />The Advanced:<br /><br />If you want to do any online transactions, use Authentium’s SafeCentral to create a secure session between a locked-down browser and your online bank. It has capabilities to defend against the following attacks: Keyloggers, Spywares, DNS poisoning, Malwares, Sniffing, Man-in-the-middle<br /></div><div>Visit their website: <a href="http://www.safecentral.com/">http://www.safecentral.com/</a></div><div></div><div></div><div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-31917762382595927902008-12-19T13:15:00.000-08:002009-09-04T15:44:30.661-07:00DNS Chanager 2.0<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPDDZnShAyUBF1n-DK7OKLGSYKO-l-HUtkFYB4TB3jDTA4ekkDrhdkaKJUtV9X8sHxvC84pUGGKMq-UxrHIn298ZYrLrfTWuwHHKgth3L93h2UL50lWCenFV129BUuQ-aT-mtZR3gMBaeE/s1600-h/1.jpg"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 320px; FLOAT: left; HEIGHT: 191px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5281910064495725282" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPDDZnShAyUBF1n-DK7OKLGSYKO-l-HUtkFYB4TB3jDTA4ekkDrhdkaKJUtV9X8sHxvC84pUGGKMq-UxrHIn298ZYrLrfTWuwHHKgth3L93h2UL50lWCenFV129BUuQ-aT-mtZR3gMBaeE/s320/1.jpg" /></a><br /><div></div><div></div><div></div><div>DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS. </div><div><br />It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages. </div><div><br />The question is how to protect and prevent such attacks. Here is my compiled checklist: </div><div><br /></div><div>1) As always, keep your systems up-to-date and make sure you are using/deployed the latest browser (IE 7/8, FF 3, Google Chrome, and Opera 10) in your network. Because it's always start from exploiting your old browser and process with the rest of the attack. </div><div><br /></div><div>2) Make sure your antivirus is prepared to detect and block this malware. If you detect any suspicious process which listens on port 67, you can upload it your vendor or use <a href="http://virustotal.com/">virustotal.com.</a> </div><div><br /></div><div>3) If you are a Cisco shop, you are lucky enough because they have implemented a built-in security mechanism called "DHCP Snooping", is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. Read more about it.<br /><a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf">http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf</a><br /><br />This is an example of enabling DHCP Snooping on a Cisco Switch:<br /><br /><span style="color:#ff0000;">switch(config)# ip dhcp snooping<br /></span>!Enables DHCP Snooping globally!<br /><span style="color:#ff0000;">switch(config)# ip dhcp snooping vlan <vlan_id>{,<vlan_id>}</span><br />!Enables DHCP Snooping for Specific VLANs!<br /><span style="color:#ff0000;">switch(config-if)# ip dhcp snooping trust<br /></span>!Sets the interface to trusted state; can then pass DHCP replies!<br /><span style="color:#ff0000;">switch(config-if)# ip dhcp snooping limit rate <rate><br /></span>!Sets rate limit for DHCP Snooping!<br /><br /><br />4) Use " DHCPLOC Utility" to detect rogue DHCP servers on your network, Get it from here (<a href="http://technet2.microsoft.com/windowsserver/en/library/8fa42e83-ec08-4a9b-9057-8909f7ed433e1033.mspx?mfr=true">http://technet2.microsoft.com/windowsserver/en/library/8fa42e83-ec08-4a9b-9057-8909f7ed433e1033.mspx?mfr=true</a>)<br /><br />With this tool, you can determine which DHCP servers are available to a DHCP client and to detect unauthorized DHCP servers on a subnet. </div><div><br /><br />5) Use " DhcpExplorer" , it’s a tool that allows you to discover DHCP servers on your local subnet or LAN. This is useful for locating servers that are not supposed to be on your network (rogue DHCP servers) as well as checking the expected output of known servers. The tool is designed with a user-friendly interface and is easy to use. Download it from here:<br /><a href="http://www.filesland.com/companies/Nsasoft-LLC/download/DhcpExplorer.exe">http://www.filesland.com/companies/Nsasoft-LLC/download/DhcpExplorer.exe</a></div><div><br /></div><div></div><div>6) Use " DHCPing", it is a simple utility, like ping, except it tests for running DHCP servers. The results of a dhcping scan can be matched against a list of known DHCP servers on your network. Anything showing up in the scan, and not on your server inventory, should be suspect. Get it from here: <a href="http://www.securiteam.com/tools/5TP0G0KDFG.html">http://www.securiteam.com/tools/5TP0G0KDFG.html</a><br /><br /><br />7) If you are a Microsoft shop, make sure that you have configured authorized DHCP server correctly, read here for more details:<br /><a href="http://technet.microsoft.com/en-us/library/cc781697.aspx">http://technet.microsoft.com/en-us/library/cc781697.aspx</a></div><div><br /><br />8) If you use Nmap, and you should by the way. You can scan your network for hosts that listen to port 67. See this example:<br /><br /><span style="color:#ff0000;"><span style="color:#ff0000;">nmap -sU -P0 -p 67-68 -oN dhcp-scan-results > 192.168.0-3.*</span><br /></span><br />Replace 192.168.0-3.* with your network's IP range. </div><div><br /><br />9) Snort, is your watch dog while you are busy. Modify your snort.conf file to add a new servers list, like this:<br /><br /><span style="color:#ff0000;">var Authorized_DHCP [1.1.1.1,2.2.2.2]</span><br /><br />replace 1.1.1.1, 2.2.2.2 with your production servers<br /><br />And use this rule to detect rogue dhcp servers:<br /><br /><span style="color:#ff0000;">alert udp !$AUTHORIZED_DHCP 67 -> 255.255.255.255 any (msg: "Rogue DHCP Server OnNetwork"; sid:1000001;)<br /></span><br /><br />10)If you have tcpdump around, you can run and use this Bpf filter to detect rogue dhcp servers:<br /><br /><span style="color:#ff0000;">tcpdump -i eth0 -nn 'udp port 67 and !(host x.x.xx or host x.x.xx)'</span><br /><br />11)And last, double check with your host-based firewall vendor that their product dose support NDIS-level firewalling. This means the FW will protect against unauthorized NDIS protocol registration by hooking <strong>NdisRegisterProtocol()/NdisOpenAdapter().</strong> So, the FW will be notified when a NDIS protocol is trying to be registered or when it’s binding to some adapter.<br /><br /><br />Related Posts: </div><div></div><div></div><div><a href="http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html">Use default passwords, get hijacked ! </a></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-85486192441687907702008-10-15T11:09:00.000-07:002008-10-15T14:52:08.913-07:00The Honeynet Project - Kuwait Chapter<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT7bCP8oM3Ua-oHsr9qmNSwEAJpoaf9c_QWTc59Oszh0s3VF_tqIDLjCrpGAEJDyxHf9p3nptPSoYgl85woavVOodpbSEs9zbIzUzfa_nvklSJd4BM2pbphwqZnoUyiSBbseDmWXE2cNpt/s1600-h/1.jpg"><img id="BLOGGER_PHOTO_ID_5257451258604616034" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 300px; CURSOR: hand; HEIGHT: 175px" height="169" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT7bCP8oM3Ua-oHsr9qmNSwEAJpoaf9c_QWTc59Oszh0s3VF_tqIDLjCrpGAEJDyxHf9p3nptPSoYgl85woavVOodpbSEs9zbIzUzfa_nvklSJd4BM2pbphwqZnoUyiSBbseDmWXE2cNpt/s320/1.jpg" width="300" border="0" /></a><br /><br /><br /><br /><br /><br />The first Arabian chapter of the honeynet project is going to see the light soon. I'd like to announce the creation of the "Kuwait Chapter" of the honeynet Project. Our goal is to study Internet attacks and threats which target Kuwait and Middle East. We are in progress of contacting third-parties for donations and sponsorships. If you are interested in helping us, please contact me at (<a href="mailto:a.qarta@gmail.com">a.qarta@gmail.com</a>).<br /><br /><br /><br />Also, we are looking for volunteers who want to join the team, the required skills are:<br /><br />1) Malwares analysis<br /><br />2) Packets analysis<br /><br />3) Linux/Windows Forensics<br /><br />4) IDS / IPS / Firewalls<br /><br />5) Honeypots<br /><br /><br />If you would like to donate, we accept:<br /><br /><br />1) Cash<br /><br /><br />2) Computers<br /><br /><br />3) Servers<br /><br /><br />4) Internet public IP's<br /><br /><br />5) Internet connections<br /><br /><br />For more information, please contact me at (<a href="mailto:a.qarta@gmail.com">a.qarta@gmail.com</a>)<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdouMENUHOQIAZuo0zmhLqYuMrefHt45rpc9Cq_FUlLP5IXYxVOzNf2abWnvE9D4QoEpwxaeZm59mH0I7BvBapsL9r8dUQ_PValpm9Y2nhENtSYNAai-EThPnvOoxxGpEcCphgft0M2ABF/s1600-h/icon_Honeynet.jpg"></a>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-25045643777472825772008-09-07T13:33:00.000-07:002008-10-12T11:55:19.766-07:00Malwares Forensics Dojo in Kuwait<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJxFGVfMf7YRvce-uhHl0HBCmZX14-Gqyu6m9ZxRGMzLX83itTmUKIsxWLsYxqBzXIU65Jkd2regV6gL6UzQ-X6NVB3XPHCwbOxwBV7cI86tdDZ093WaRyiIMvZFsjXksottOkGnMAV1bs/s1600-h/ninja.jpg"><img id="BLOGGER_PHOTO_ID_5243385677940310946" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJxFGVfMf7YRvce-uhHl0HBCmZX14-Gqyu6m9ZxRGMzLX83itTmUKIsxWLsYxqBzXIU65Jkd2regV6gL6UzQ-X6NVB3XPHCwbOxwBV7cI86tdDZ093WaRyiIMvZFsjXksottOkGnMAV1bs/s320/ninja.jpg" border="0" /></a><br /><br /><br /><div></div><br /><br /><div></div><br /><br /><div></div><br /><br /><div></div><br /><br /><div></div><br /><br /><div></div><br /><div></div><div></div><br /><div></div><br /><br /><div></div><br /><br /><div>By Aa’ed Alqarta (Symantec STS)<br /></div><div><br />This course is targeted to systems and security administrators who are responsible of securing their clients and networks. Without concepts and technical skills, you can’t defend against the latest generations of malwares. This course will prepare you with the required knowledge to fight malwares. You’ll learn from an experienced and trained instructor who will guide you step-by-step through the training.<br /><br /></div><div>Course Agenda:<br /></div><br /><div><br />- Introduction to malwares: We will talk about malwares basics, and history of malwares.<br /></div><div><br />- Types of malwares: We will talk about all malwares categories and how to defend against them.<br /></div><div><br />- Tools for malware analysis: We will talk about malwares analysis tools that will help the system admin during investigating an infected computer.<br /></div><div><br />- Malwares disinfection: We will talk about the techniques that will teach a system admin how to disinfect and clean any infected system using special techniques, tools and live CDs.<br /></div><div><br />- Malwares detection: We will talk about how to detect any malware that is propagating in your network using traffic analysis, honeypots and IDS.<br /></div><div><br />- Security policies and defenses against malwares: We will talk about effective security policies and defense strategies against malwares. </div><div><br /> </div><div>For registration details, just send to (<em>a.qarta [ at ] gmail.com</em>) </div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-55858126231191935022008-07-02T11:21:00.000-07:002008-07-02T13:10:16.403-07:00"Malwares Resistance" Assessment<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSNopCFOe9idfDclNakhSuuX4-VDI7Mf8y3xpBm8ZwDeA9AtgDmMS3DWAdFw6HDTumR_-Oo5zKBp7pAk5uPvNQuQ8KADtvOS5vOKYPK-45brMs7bzYJCaneTPnrdRLpTt5b4S2NzsbmANr/s1600-h/resistance.jpg"><img id="BLOGGER_PHOTO_ID_5218488885825552722" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSNopCFOe9idfDclNakhSuuX4-VDI7Mf8y3xpBm8ZwDeA9AtgDmMS3DWAdFw6HDTumR_-Oo5zKBp7pAk5uPvNQuQ8KADtvOS5vOKYPK-45brMs7bzYJCaneTPnrdRLpTt5b4S2NzsbmANr/s320/resistance.jpg" border="0" /></a><br /><br /><br /><br /><br />We all have heard of a "Vulnerability Assessment" or a "Network Security Assessment", but what's about a "Malwares Resistance Assessment”?<br /><br />Well, it came to my mind this morning while talking to one of my customers about hardening their machines to be more "resistant" to malware infections.<br /><br />It’s not clear if there is any kind of a standard to follow when we need to measure the “resistance level” of our network against malwares, but based on my knowledge and experience, I’d like to craft an essential checklist of questions to answer them by yourself:<br /><br />1) Do you have the latest version of the current antivirus which is running on your system?<br /><br />2) Is the antivirus capable to detect known malwares, rootkits, zer0-day exploits using a proactive technique?<br /><br />3) Is the antivirus capable to detect unknown malwares, rootkits, zer0-day exploits using a proactive technique?<br /><br />4) Do you have a patch-management strategy to fix operating systems and third-party applications vulnerabilities?<br /><br />5) Do you have an Internet content filtering solution to block access to websites that host malicious codes?<br /><br />6) Do you have an antispam solution to filter spams and scan for malicious attachments and embedded links?<br /><br />7) Do you have the latest versions of the running softwares/applications that require installing an Activex component?<br /><br />8) Do you have the latest version of the running Internet browser? “The latest browser have been engineered to add phishing/malware filtering”<br /><br />9) Do you have a policy that forbid and block the usage of removable drives in your network?<br /><br />10) Do you have a policy that forbid and block to install unapproved softwares?<br /><br />11) Do you have a bandwidth monitoring solution to track network and Internet protocols usage in real-time?<br /><br />12) Do you have a firewall/UTM solution that supports Internet traffic virus scanning?<br /><br />13) Do you have an IDS/IPS solution that can observe malwares activities in your network?<br /><br />14) Do you run a honeypot that monitors the dark-space in your network/DMZ for malware propagations?<br /><br />15) Do you have the proper FW ACL’s that prevent inbound/outbound traffic related to malware communications?<br /><br />16) Do you have a “malware outbreak incident response” plan?<br /><br />17) Do you follow the concept of “Least Privilege” whenever you install/configure a software/service?<br /><br />18) Do you have a training program that gives you or your team the needed malware-related skills?<br /><br />19) Do you have a “malware containment strategy” in case of any large-scale propagation?<br /><br />20) Do you have a solid backup & recovery of data and system in case of data loss due to a malware infection?<br /><br />21) Do you have security awareness training for users to reduce the number of infections or to improve the user’s actions in reporting incidents?<br /><br />22) Do you have a secure deployment of new machines in your network? (Up-to-date OS, up-to-date AV, hardened OS, approved applications are installed, limited user permissions).<br /><br />23) Do you follow a password security policy in your network? (network shares passwords, administrator account password, complex passwords, password expiration, changing default passwords)<br /><br />If you have anything not mentioned in this list, you’re welcome.<br /><br />related Posts:<br /><br /><ol><li><a href="http://extremesecurity.blogspot.com/2008/06/firefox-vs-opera-anti-phishing-review_30.html">Opera 9 vs. FF 3: antifishing review</a></li><li><a href="http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html">Use default password, get hijacked</a></li><li><a href="http://extremesecurity.blogspot.com/2008/06/stop-malwares-using-device-control-real.html">Stop malwares using device control</a></li><li><a href="http://extremesecurity.blogspot.com/2008/05/block-malware-domains-using-squid.html">Block malware domains using Squid</a></li><li><a href="http://extremesecurity.blogspot.com/2008/03/ie-activex-security-101.html">IE Activex security 101</a></li><li><a href="http://extremesecurity.blogspot.com/2008/03/dns-redirection-techniques.html">DNS redirection techniques</a></li><li><a href="http://extremesecurity.blogspot.com/2008/03/malwares-containment-quarantine.html">Malwares containment: quarantine the infected</a></li><li><a href="http://extremesecurity.blogspot.com/2008/02/malwares-containment-level-ii.html">Malwares containment: level II</a></li><li><a href="http://extremesecurity.blogspot.com/2008/02/malwares-containment-basics.html">Malwares containment - the basics</a></li><li><a href="http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own.html">Analyze malware infections on your own - 1</a></li><li><a href="http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own_10.html">Analyze maware infections on your own - 2</a></li></ol>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-34882893255265746322008-06-30T13:44:00.000-07:002008-06-30T13:45:25.175-07:00Firefox vs. Opera: Anti-phishing Review<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinw-D2npzqrC5-RMOHwVk3pF0At24lJre2yoFZPPI5WJG8n3c9oKEXSxfmvaMfNLgXWE2JJdwjXJqwiG6eNYPR81w82g6bUATbNtf0g_JL3cFPrQnUsi0OIAzFfDRmZZTWKKA7TPmAQIIp/s1600-h/firefox-vs-opera.png"><img id="BLOGGER_PHOTO_ID_5217744635700220210" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinw-D2npzqrC5-RMOHwVk3pF0At24lJre2yoFZPPI5WJG8n3c9oKEXSxfmvaMfNLgXWE2JJdwjXJqwiG6eNYPR81w82g6bUATbNtf0g_JL3cFPrQnUsi0OIAzFfDRmZZTWKKA7TPmAQIIp/s400/firefox-vs-opera.png" border="0" /></a><br /><br /><br /><br /><br />The war is still burning between Opera Vs FF, and they have improved the code to secure the user’s online life. As working with security products as a daily basis task, I have the habit of testing their capabilities to approve what they are suppose to protect against. Sometimes when you put anything to the test, you’ll get surprising results and mostly disappointing. Today, I got two contenders, Opera 9 and Firefox 3. We heard some claims about their readiness to stop the bad. I’m not sure if this is the correct way to benchmark both of them. But my test was simple, as simulating a normal user who received a phishing spam which contains a link to a fake website such as, Paypal.<br /><br />The Test:<br />------------<br /><br /><br />URL:hxxp://www.warning-s-on-your-boa-account.com/<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />----------------------------------------------------------<br />URL: hxxp://dell.cfun.fr/<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />----------------------------------------------------------<br />URL: hxxp://peppegol96.altervista.org/loader.html<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />----------------------------------------------------------<br />URL: hxxp://membres.lycos.fr/p4ypal/<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />-----------------------------------------------------------<br />URL: hxxp://payypalll.com/<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />-----------------------------------------------------------<br />URL: hxxp://www.masterequipamentos.com.br/sas/explorer/paypal.com/PayPal/<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br /><br />---------------------------------------------------------<br />URL: hxxp://wmserver.stcable.co.yu/~matthew/Service-Paypal.htm<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />--------------------------------------------------------------<br />URL:<br /><br />hxxp://www.mindblade-studios.com/forum/style_images/amazon.fr/ref=ya_hp_oc_3.htm<br /><br />OPERA: PASS<br /><br />FF: FAIL<br /><br />What makes Opera 9 better than FF in my opinion? Is the higher number of blocked websites, plus the warning notification when a fraud website is detected. While FF is not blocking any of them and there is no notification except that it's not receiving the identify information of the site.<br /><br />Download both of them and try the test by yourself:<br /><br /><a href="http://www.opera.com/download/">Opera 9</a><br /><br /><a href="http://www.mozilla.com/en-US/firefox/all.html">Firefox 3</a><br /><br />Adios,Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-61776163044167595982008-06-28T10:56:00.000-07:002008-06-28T12:36:49.824-07:00Book Review: Endpoint Security<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyq5tnb2qfPQ7ZC3BmpmJgw0U1cX9ttmY-YLZ29XlKpMHu3Ij6ZwIrxj37SE1YsFFXTl1KFGdaBjN9M1rJM_x23OkDdAYCY9dUvRdxcoCPo62mSpnkgXe17QI3hAQDUF77iJ10s0Q7JjHm/s1600-h/book.jpg"><img id="BLOGGER_PHOTO_ID_5216993587408686770" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyq5tnb2qfPQ7ZC3BmpmJgw0U1cX9ttmY-YLZ29XlKpMHu3Ij6ZwIrxj37SE1YsFFXTl1KFGdaBjN9M1rJM_x23OkDdAYCY9dUvRdxcoCPo62mSpnkgXe17QI3hAQDUF77iJ10s0Q7JjHm/s400/book.jpg" border="0" /></a><br /><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div>I've just finished reading this book by Mark Kadrich, and I have to admit that it's highly informative and focus on the pain points. We are fighting malwares everyday and spending millions of dollars on solutions built to stop known attacks and fail to stop the unknown. I'd like to share with you some interesting quotes from the book:<br /><br />(<em>I’m not aware of any SOx template that ever stopped a worm. Granted, it was a great<br />example of “find a need and fill it” mentality, but it also gave many people the false<br />impression that being SOx compliant meant being secure.)</em> </div><div><br /></div><em></em><div>And<br /><br />(<em>How can this be? We have antivirus! We have firewalls! We have IDSs! We have<br />authentication systems! We have HIPAA, SOx and let’s not forget GLBA! With all this<br />heavy artillery, how can the evil worms of war still manage to break through our<br />defenses? Why do we have systems infected with bots? How can we have all this security<br />and still have a polluted network</em>?)<br /><br /><br />What we can understand from this?<br /><br />I think the problem is either the current security standards are not as effective as before to stop malwares, or we are not implementing them correctly. A security standard will give you the foundation of the whole security architecture which your network needs. If you don't follow the book, it's your problem. I've seen many security administrators who give no attention to patch machines properly. Or even, check the firewall logs to observe any botnet activity!. Such case, is a big example of how malwares manage to penetrate your defenses to infect the endpoints.<br /><br />I'll give you some tips from my daily work:<br /><br />To stop malwares we need to close all the holes, which are:<br /><br />1) Internet - We have different sources of risks, so let's break them down: </div><div><br />Websites: Install a content filtering solution (e.g, Websense)<br />Spam: Install a respected antispam solution (e.g, Bordware MXstream, Cisco IronMail)<br />P2P: Block these applications using a firewall or IPS. Or even prevent the installation of them at all.<br />Malwares: Block risky ports on the FW. Deploy a network IPS. Deploy a gateway Antivirus (HTTP scanning)<br /><br />2) Removable drives - these devices are "Mobile Mass Infections" weapons, which I'll never allow them during my watch.<br /><br />The only countermeasure against them is device blocking policies using some software that will give a full control of them.<br /><br />The list still not yet finished, please keep reading:<br /><br />- Patch management strategy: OS + Applications patching. 80% of malwares are targeting a specific vulnerability in your system. I always say "<em>A patched machine with a real IP is safer than unpatched one behind a 100 FW</em>". </div><div><br />- Browser security: Get a secure browser (FF3 or Opera9). Read my lips: No *F* ActiveX anymore!</div><div><br />- Network Access Control: check Cisco NAC or Symantec SNAC solutions. </div><div><br />- User Awareness: e-mails with some cartoons, sessions, screenshots of malicious activities and how to report them. </div><div><br />- Training and reading: If your admin spends his day playing "FreeCell", it's the time to level up his knowledge. Because an ignorant admin will decrease the value of any security solution. Most customers will utilize 40% of the solution because their lack of knowledge on how to use the advanced features which may help them to compact the original problem. </div><div></div><div></div><div> </div><div>here's the link for the book on Amazon. <a href="http://www.amazon.com/gp/product/0321436954?&camp=212361&linkCode=wey&tag=extreme04-20&creative=380733">Click here</a></div><div></div><div></div><div> </div><div>I'm done here, </div><div></div><div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-2354071890510205762008-06-21T00:04:00.000-07:002008-06-22T07:41:41.989-07:00USB dongle auto malwares scanning with clamav<div align="left"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSfxpQSHuek-SYtbyD6KIA8IXfxs-LwczaAe7BdpqBfZo8X8uoGWlyhJ8j-CNRacWGgdtBRZzWpfjpVm1s0q8AiCbu286XDCQ4UjxV1H2KEhaZv906mv3ysf7V0iIZGF52cZmq4H2RWLp/s1600-h/clam.png"><img id="BLOGGER_PHOTO_ID_5214246154064879138" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSfxpQSHuek-SYtbyD6KIA8IXfxs-LwczaAe7BdpqBfZo8X8uoGWlyhJ8j-CNRacWGgdtBRZzWpfjpVm1s0q8AiCbu286XDCQ4UjxV1H2KEhaZv906mv3ysf7V0iIZGF52cZmq4H2RWLp/s400/clam.png" border="0" /></a><br /></div><br /><div align="left"></div><br /><div align="left"></div><div align="left"></div><div align="left"></div><br /><div align="left">How many of you folks use a USB dongle for his daily tasks? I think most of you, but since this blog is about security & malwares. Today, I’m going to show you a trick using a windows batch file and the portable version of clamav for arming your dongle when you have to copy/move files in a non-secure environment. For me personally, when I need to get a new/additional USB dongle, I prefer the ones that have read-write protection. This is a very effective way to protect your USB when you need to transfer files between you laptop for instance, and other machines. But suppose yours doesn’t support this feature. You need to create some kind of armor around it.<br /><br />Let’s work:<br /><br />1) Get the latest copy of ClamAv_Portable for Windows. <a href="http://surfnet.dl.sourceforge.net/sourceforge/portableapps/ClamWin_Portable_0.93.1.paf.exe">Download Here </a>(install and rename the folder to ClamWinPortable)</div><div align="left"><br />2) Copy the following batch and call it (scan.cmd): </div><div align="left"><br /><span style="color:#ff0000;">@echo off<br />set @1=%cd%<br />echo Updating ClamAV definitions ...<br />.\ClamWinPortable\App\clamwin\bin\freshclam -v --config-file=".\ClamWinPortable\App\clamwin\bin\freshclam.conf" --datadir="\..\ClamWinPortable\Data\db"<br />echo Scaning USB for Malwares ...<br />.\ClamWinPortable\App\clamwin\bin\clamscan.exe --database=".\ClamWinPortable\Data\db" -v --show-progress -u -k --bell --remove -i --detect-broken -l scan-resultes.txt %cd%<br />explorer.exe %cd%<br />exit<br /></span><br />3) Copy the following auto run instructions and save it as (autorun.inf): </div><div align="left"><br /><span style="color:#ff0000;">[autorun]<br />shell\Open\Command=scan.cmd<br />ShellExecute=scan.cmd</span><br /><br />Copy all of these files to the root of your USB dongle, then close the windows, reopen it again and see the magic. </div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-20986571368820694982008-06-18T11:40:00.000-07:002008-06-18T13:51:09.413-07:00Zlob says: You look really stupid !<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqv_N0xbyW7U45T8SwxOy4fKo1IFILdpyCIx-Vmz-v1vkEFG-ensrGna38FhIz_Uyg0dPkFP0xcGFxIIjHC7QvPwJXlqxm4_ETCvxkrqPAnLiBm2giTpy0NGBTuFJ3_AZGnD3QvS-GMBN6/s1600-h/virus.jpg"><img id="BLOGGER_PHOTO_ID_5213294432202642754" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqv_N0xbyW7U45T8SwxOy4fKo1IFILdpyCIx-Vmz-v1vkEFG-ensrGna38FhIz_Uyg0dPkFP0xcGFxIIjHC7QvPwJXlqxm4_ETCvxkrqPAnLiBm2giTpy0NGBTuFJ3_AZGnD3QvS-GMBN6/s320/virus.jpg" border="0" /></a><br /><br /><br /><br /><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99">Zlob trojan</a> never give up, it's using a multi-directions strategy to infect as much as of systems. <a href="http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html">We talked recently</a> about one of it's attacks against non-secure wireless/wired routers in the Internet which are left with default passwords. Nowadays, Zlob is trying to use some social engieering tricks, by sending spam e-mails with the subject line (You look really stupid) and the body contains a url to a fake video file with the extension (exe) !<br /><p><br /><br /></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpmI8P418F4OIbYScbfTxG7_pTi-4iq2-j0irZNitOgNTND9UDabHoQea2wzMUSnOPyZjenY4-UfulqkMvxNBKUv62GPUopOVoONL2TIT2XKolZfZPHNlKOiaL9PGy0vptPTzrZtTSzcjD/s1600-h/2.gif"><img id="BLOGGER_PHOTO_ID_5213298688694968786" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpmI8P418F4OIbYScbfTxG7_pTi-4iq2-j0irZNitOgNTND9UDabHoQea2wzMUSnOPyZjenY4-UfulqkMvxNBKUv62GPUopOVoONL2TIT2XKolZfZPHNlKOiaL9PGy0vptPTzrZtTSzcjD/s400/2.gif" border="0" /></a> </p><p>Checklist for system admins:</p><ol><li>Make sure the current antispam is updated with the latest signatures. </li><li>Make sure the current antivirus is deployed/updated on all machines. Verify if your vendor is already providing defintions to detect <span style="color:#ff0000;">trojan.Zlob</span> and it's variants. </li><li>Deploy some URL/websites filtering solution to block malicious URLs (e.g Websense). If you already have one installed, create a policy to deny access to any URL which contains video.exe/video1.exe. </li><li>Turn on antivirus scanning on your gateway firewall, and if it doesn't support this. It's the time to replace it by a decent UTM (e.g Fortigate / Juniper / ASA).</li><li>User awareness is on your side, send a periodic e-mail which talks about spams, malwares, and other Internet threats. Try to use a simple and friendly language. Also, use a cartoon that talks about computer security to add the sense of humor to it. </li><li>If you are already running Snort, use this signature to detect the download of the fake video executable: (You need to change the rule to detect different variants like video.exe, video1.exe, or video2.exe ...etc)</li></ol><p><span style="color:#ff0000;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan.Zlob Binary Requested (video.exe)"; flow:established,to_server; uricontent:"/video.exe"; nocase; classtype:trojan-activity; reference:url,http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99; rev:1;)</span></p><p>other posts about Zlob:</p><ul><li><a href="http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html">Use default password, get hijacked</a></li><li><a href="http://extremesecurity.blogspot.com/2008/03/iframe-attacks-actions-to-be-taken.html">IFRAME Attacks - Actions to be taken</a></li></ul><p></p>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-53427174819257990912008-06-13T09:30:00.000-07:002008-06-14T11:21:45.355-07:00Use default password, get hijacked<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQW7BnAALyQjzcPkoL1jQG7RhSWy-p6H8kFtKT9HSjYJe93ZpPAmPjanBlHftDHYgQWsnfMP8inVxNamTjQX5CBO7q0WrICgwGld_C-06FfJcg4PvaxYS0In7dJUVCI_KVthAoV7PZqtne/s1600-h/befw11s4_v4.jpg"><img id="BLOGGER_PHOTO_ID_5211422323934679730" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 254px; CURSOR: hand; HEIGHT: 208px" height="235" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQW7BnAALyQjzcPkoL1jQG7RhSWy-p6H8kFtKT9HSjYJe93ZpPAmPjanBlHftDHYgQWsnfMP8inVxNamTjQX5CBO7q0WrICgwGld_C-06FfJcg4PvaxYS0In7dJUVCI_KVthAoV7PZqtne/s320/befw11s4_v4.jpg" width="275" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br />As the title says, use default password on your wireless/wired routers and wait for the new variant of the "Zlob" trojan to infect some machines, then try every default router username/password combinations from <a href="http://www.routerpasswords.com/">http://www.routerpasswords.com/</a>. Or even check this text file, search for your current user/pass to make sure they are not in the list. <a href="http://blog.washingtonpost.com/securityfix/zlobpass.txt">http://blog.washingtonpost.com/securityfix/zlobpass.txt</a><br /><br />Zlob (or as known DNSChanger) will modify the DNS settings to use other rogue DNS servers. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites.<br /><br />Countermeasures against DNSChanger:<br /><br /><ol><li>Change your router default password to something complex. Make sure it's long, and contains symbols and numbers.</li><li>Configure your router to allow management access from specific machine only (e.g, Admin PC), this will prevent infected machines from reaching your router.</li><li>Update the current firmware to fix any security issues.</li><li>If possible, change the management port to something else. (e.g, port 80/443 to 555)</li><li>Configure Syslog/SNMP on the router to watch any configuration modifications or failed login.</li><li>Rename the admin account on the router, Or see next.</li><li>Disable/delete admin account, and create another one with different name and password.</li><li>Deploy an IDS on your network to detect malicious activities (e.g, router user/pass brute force attack / requests to rogue dns servers / video codec downloads ) </li><li>Deploy an URL filtering software/appliance that filters access to any malicious websites/pages that provides codec/fake codecs. </li><li>Disable UPNP on your router, becuase it's not secure anymore. check here: <a href="http://www.google.com/search?hl=en&q=upnp+exploit+router">http://www.google.com/search?hl=en&q=upnp+exploit+router</a></li><li>Block access to these IP's (85.255.116.164 / 85.255.112.81)</li><li>Use Purenetwork Security scan for wireless networks, <a href="http://www.purenetworks.com/securityscan/">http://www.purenetworks.com/securityscan/</a></li><li>Keep your machines up-to-date. Most malwares targets a specific vulnerability to reach the system. </li><li>Get legitimate video codecs, install them on your machines, and inform your users that their machines are ready to play any video format and there is no need to download codecs from untrusted sites. check <a href="http://www.free-codecs.com/download/K_lite_codec_pack.htm">http://www.free-codecs.com/download/K_lite_codec_pack.htm</a></li></ol>Safe browsing ... :)Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-24536972561529130642008-06-03T12:34:00.000-07:002008-08-31T12:12:21.088-07:00Stop malwares using device control: A real life experience<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqfqADfe0EpXj9690eNX3mDUM-TrRv8hhgVC6D_6719q2G2hq-tVnbghEVrkpERj1JrP72TT1okf8xEZC5brR6yk2nIjC3m9isbCroVyYUBoaQt1hKxJ6TCsHHi3ecTrII_6DvaDSrx0UW/s1600-h/USB_Disk2.jpg"><img id="BLOGGER_PHOTO_ID_5213981791544611122" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqfqADfe0EpXj9690eNX3mDUM-TrRv8hhgVC6D_6719q2G2hq-tVnbghEVrkpERj1JrP72TT1okf8xEZC5brR6yk2nIjC3m9isbCroVyYUBoaQt1hKxJ6TCsHHi3ecTrII_6DvaDSrx0UW/s320/USB_Disk2.jpg" border="0" /></a><br /><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0fknJA7k2yqw7etvXS2DwS9EdOCZZlejgKmhyqks8veeG557fr0UZaf4ZSmY_9eTFVFTES2vjAjr7q5t3jNHP7lO8a4IGq3xBYZiSORlS3O90FeSZOq_anrNVfUs2Z7QGsgoP7VTXCHVx/s1600-h/USB_Disk2.jpg"></a><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht_IXY_zLRu7C2YbpiS-PD6LqpXX5RqaZcA-0fkT9dWPKFyS3vX4eWAUtxn1YvYvjMOFmuH3NR8bw0Pz_MHi8bgz4pGQSDEfwn1UWCDJMhCRDxELGm2M6_zaVwMd5wq6S96TdDYnLeeyzo/s1600-h/USB_Disk.jpg"></a><div><br /></div><div></div><div><br /></div><div></div><div><br />If your one of those administrators who hardly try to keep their networks clean and prevent the next malware from infecting their systems, this is definitely for you…<br /><br />Spending thousands of dollars on security solutions to protect the enterprise from the outside alone is an outdated concept. If you want to ask anyone works in the security arena? What are the main sources of malwares today? He’ll probably answer this: e-mail spam, websites, and removable drives. I’ve been dealing with anti-anything (malwares, viruses, worms, rootkits) since a long time, and I used to judge on the network security from the antivirus server logs and reports. Because these logs will give a lot of details, such as the name of virus, the path on your system, from where it came, etc. And most of the time, I see viruses detected inside the removable drive root folder. And thanks to Windows “Auto Play”, which is used to inspect the type of files and choose the suitable software to open them. With this, malwares are getting executed every time you plug your flash drive in your computer. So to start talking about this, many vendors today start to provide additional module to their software which controls local system devices based on a policy. For example, <a href="http://www.symantec.com/endpoint/">Symantec Endpoint Protection 11</a> is my choice today to protect endpoints. I can block every single device/interface in the machine. Such as USB dongles, Bluetooth, PCMCIA, wireless, ports, com, etc. I had one customer who was struggling to stop malwares, and depending on the installed AV alone was a losing game. So I checked the daily logs of the AV server, and I was surprised due to the high number of viruses which had been detected on users' USB dongles!. </div><div></div><div>I have to admit that this customer is more happier than before, because malware infections have decreased by 70% once we blocked all insecure devices. </div><div></div><div>A replacement for using USB dongles inside corporate network is using a secure file sharing server which has multi-antivirus scanner installed to check for infected dongles and heal them. Then the user copies/moves his files to/from this server without endangering the LAN. His company has accepted this and the life is still going with/without USB dongles :) </div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-37821630720978583282008-05-24T08:27:00.000-07:002008-05-24T10:21:47.793-07:00Block malware domains using Squid<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiROwPUTs9Tu-vFRPtgRcVeAGVYBhsXI6GV0E7HC-f2O__B83im9bWi0aUqEuceYg46EeN3QcMISsgtgemeIzZ26QLz571c4swj1aOGrnJnZup6erocfmcNf5vyu1grJtXcB6mQsl9R9vR1/s1600-h/SN1.png"><img id="BLOGGER_PHOTO_ID_5203972419832294466" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 288px; CURSOR: hand; HEIGHT: 153px" height="153" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiROwPUTs9Tu-vFRPtgRcVeAGVYBhsXI6GV0E7HC-f2O__B83im9bWi0aUqEuceYg46EeN3QcMISsgtgemeIzZ26QLz571c4swj1aOGrnJnZup6erocfmcNf5vyu1grJtXcB6mQsl9R9vR1/s320/SN1.png" width="279" border="0" /></a><br /><p></p><p></p><p></p><br /><br />Today we'll see how we can start filtering malicious websites using Squid as an example. Squid cache is a popular open source web proxy server and web cache software. If you don't want a complex solution, you can use <a href="http://malwaredomains.com/">malwaredomains.com </a>black lists and a small batch file to generate copy-and-pase Squid ACL's to filter the unwanted.<br /><br />Let's Start:<br /><br />1) Download the complete file from this link <a href="http://www.malwaredomains.com/files/domains.txt">domains.txt</a><br /><br />2) Use MS Excell to filter and save URL's:<br /><br />- open domain.txt<br /><br /><br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_-RFdv2gw61JQYqNwuu46ifMmYJarpUavBc7DRihnMR91LkPJW3Pgqazg5rx-znwxb5vea4HShTCGrAZl9aY2hFNZN53dfCnIgXMynd7lAE_ZPdoUAtxBRCjuINBLb-OohNEdafR4KWUB/s1600-h/01.gif"><img id="BLOGGER_PHOTO_ID_5203975722662145106" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_-RFdv2gw61JQYqNwuu46ifMmYJarpUavBc7DRihnMR91LkPJW3Pgqazg5rx-znwxb5vea4HShTCGrAZl9aY2hFNZN53dfCnIgXMynd7lAE_ZPdoUAtxBRCjuINBLb-OohNEdafR4KWUB/s320/01.gif" border="0" /></a></p><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisHGexsQnWeFPbN0SMgyvUhdNOvMSzWL_qsh2U5WJSQDcRySS7IFYEgqGkkunaFhysT1nD_Bz5k0shyphenhyphenLgYCK79I_I4E3diQj6x1KYr6LKbWicihSNAUYvNfVpiiNtmW00J4U93fR1_-GkJ/s1600-h/02.gif"><img id="BLOGGER_PHOTO_ID_5203976216583384162" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisHGexsQnWeFPbN0SMgyvUhdNOvMSzWL_qsh2U5WJSQDcRySS7IFYEgqGkkunaFhysT1nD_Bz5k0shyphenhyphenLgYCK79I_I4E3diQj6x1KYr6LKbWicihSNAUYvNfVpiiNtmW00J4U93fR1_-GkJ/s320/02.gif" border="0" /></a><br /><p><br /><br /></p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnas1Lt5re2o6DOJhvemGYDwRNNOeJst9PQhB-kdTOsMN9ZQIdHNDJcfwE02xDAlnqYAIUsGxLI_ae2FpkgmZgdgWFFT9X9LBZQgT7iHAh2R5P2AWqQsRAqOIBJmVaogAjFI-ipsaYhxNP/s1600-h/excell-domains-1.gif"><img id="BLOGGER_PHOTO_ID_5203976650375081074" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnas1Lt5re2o6DOJhvemGYDwRNNOeJst9PQhB-kdTOsMN9ZQIdHNDJcfwE02xDAlnqYAIUsGxLI_ae2FpkgmZgdgWFFT9X9LBZQgT7iHAh2R5P2AWqQsRAqOIBJmVaogAjFI-ipsaYhxNP/s320/excell-domains-1.gif" border="0" /></a><br />Now select the domains in the first column and paste them into a text file, call it block.txt<br /><br />3) Use this batch file to import URL's from block.txt and convert them to Squid ACL's<br /><br /><strong><span style="color:#ff0000;">@echo off</span></strong><br /><strong><span style="color:#ff0000;">for /f %%a in (c:\block.txt) do echo acl blocksites dstdomain %%a >> c:\squid-acls.txt</span></strong><br /><strong><span style="color:#ff0000;">notepad c:\squid-acls.txt</span></strong><br /><strong><span style="color:#ff0000;">exit /b</span></strong><br /><p><span style="color:#000000;">append the output to the squid conf file like this:</span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain koolkatalog.com </strong></span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain prostol.com </strong></span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain alwaysupdatednews.com </strong></span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain cometsystems.com </strong></span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain sdsauto.ru </strong></span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain googkle.com </strong></span></p><p><span style="color:#ff0000;"><strong>acl blocksites dstdomain loadcash.biz </strong></span></p><p><span style="color:#ff0000;"><strong>http_access deny blocksites </strong></span></p><p><span style="color:#ff0000;"><span style="color:#000000;">Save and close the conf file, Restart Squid:</span></span></p><p><span style="color:#ff0000;"><strong># /etc/init.d/squid restart</strong></span></p><p><span style="color:#ff0000;"><span style="color:#000000;">you're done ;) </span><br /></span><br /><br /></p>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-29302474870079573022008-04-26T07:21:00.000-07:002008-04-26T07:29:12.441-07:00Managed Security Services: the home-users edition<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQR4KVIkDr4KUOZA60Lo6OKZnvA4O33XcB8vynJUIqiLs618xAT0QSmfigaQEHn0sYjJxSAXwtXtBmkfVpIDBEcpezI8C1_CI5XnfDfJ-_S3Z7HtP8J3AGCH0ajBi7X8rOKKraFYt4Fg0v/s1600-h/mss.jpg"><img id="BLOGGER_PHOTO_ID_5193560716285984258" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" height="228" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQR4KVIkDr4KUOZA60Lo6OKZnvA4O33XcB8vynJUIqiLs618xAT0QSmfigaQEHn0sYjJxSAXwtXtBmkfVpIDBEcpezI8C1_CI5XnfDfJ-_S3Z7HtP8J3AGCH0ajBi7X8rOKKraFYt4Fg0v/s320/mss.jpg" width="269" border="0" /></a><br /><div>If you think about security problems nowadays, it would be either corporate security problems, or home-users security problems. Most security vendors are focusing on the first one, because simply there is the cash. But who will help the clueless end user, who got his new laptop or desktop and he has nothing to do with Internet security. Ok, you may tell me that OEM shipped computers come with antivirus already installed there. Stop! Norton Antivirus has to be activated before it starts working. Also, evaluation versions run for 1 month, or 2 months. Then what? It will stop updating definitions or even stop working at all. Here where the problem starts, end users have to be managed somehow by someone. The nearest one is their lovely ISP. ISPs can play an effective role here, because the user is connecting through their proxy servers, DNS servers, web filtering servers …etc. But what if we add one more server to this mix, an Antivirus server! Let their marketing departments start new campaigns (ex. AV for everyone), gain more money, and build a secure Internet users community at the same time. </div><br /><div></div><br /><div>Technically, it’s not more than installing a corporate edition antivirus (clients/server) and deploying the agents to the paying customers who preferred to leave the antivirus management to the ISP’s technical support. What are the advantages of such a service? Well, it will fix many issues, such as (commercial AV licensing, insecure default AV installation, corrupted AV files which may stay for ever showing bogus notifications, updating definitions using the ISP hosted server which will defeat local poisoned AV vendor’s domain record (ex. Update.symantec.com ---> 127.0.01) which makes virus definitions update is impossible.<br /><br />I hope that ISPs start taking some responsibility and stand beside their users, which make them better than the others.</div><br /><div><br />If you have any comment, share it with us here … </div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-29316953386301055472008-04-24T23:47:00.000-07:002008-04-25T01:00:22.470-07:00U.N site took the injection<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDa6zpl1TD7bBCU0qzeLzEMzZN3LWu4J0TrxNfSYSvZcXDKbGV-6mIiFS1IMNr6Y1PT61J6SI2qH24h40slEGpuJpES7jdB3bx82Sg4bDC_Bs4Gw0IvMnWXKSiEb3YYomsVF7v9lg59VAF/s1600-h/injection.gif"><img id="BLOGGER_PHOTO_ID_5193073419985938626" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" height="200" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDa6zpl1TD7bBCU0qzeLzEMzZN3LWu4J0TrxNfSYSvZcXDKbGV-6mIiFS1IMNr6Y1PT61J6SI2qH24h40slEGpuJpES7jdB3bx82Sg4bDC_Bs4Gw0IvMnWXKSiEb3YYomsVF7v9lg59VAF/s320/injection.gif" width="264" border="0" /></a><br /><br /><br /><br /><br /><br />U.N site is another victim of SQL injection attacks, when a user browses the site events page, he will get redirected to (www.nihaorr1.com/[removed]). The "1.js" redirects the user to another page "1.htm", once loaded it will try to exploit the following vulnerabilities:<br /> <br /><br /><br /><strong>Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (Critical)</strong><br /><br /><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-055.mspx">http://www.microsoft.com/technet/security/Bulletin/MS07-055.mspx</a><br /><br /><strong>Cumulative Security Update for Internet Explorer (Critical)</strong><br /><br /><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx">http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx</a><br /><br /><strong>Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution</strong><br /><br /><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-018.mspx">http://www.microsoft.com/technet/security/Bulletin/MS07-018.mspx</a><br /><br /><strong>Vulnerability in Vector Markup Language Could Allow Remote Code Execution</strong><br /><br /><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx">http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx</a><br /><br /><strong>Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution<br /></strong><br /><a href="http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx">http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx</a><br /><br /><strong>The Baofeng Storm MPS.StormPlayer.1 ActiveX control heap-based buffer overflow<br /></strong><br /><a href="http://xforce.iss.net/xforce/xfdb/36543">http://xforce.iss.net/xforce/xfdb/36543</a><br /><br /><strong>GLChat Stack-based buffer overflow<br /><br /></strong><a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5722">http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5722</a><br /><br /><strong>Baidu Bar ActiveX Control Remote Command Execution<br /><br /></strong><a href="http://www.frsirt.com/english/advisories/2007/2699">http://www.frsirt.com/english/advisories/2007/2699</a><br /><br /><strong>Real Player RAM Download Handler ActiveX Control<br /><br /></strong><a href="http://www.frsirt.com/english/advisories/2005/0368/references">http://www.frsirt.com/english/advisories/2005/0368/references</a><br /><br /><a href="http://www.snort.org/pub-bin/sigs.cgi?sid=8383">http://www.snort.org/pub-bin/sigs.cgi?sid=8383</a><br /><br /><a href="http://www.snort.org/pub-bin/sigs.cgi?sid=8384">http://www.snort.org/pub-bin/sigs.cgi?sid=8384</a><br /><br /><br />Finally, it will redirect the user to another two pages that serve malwares: (gg.haoliuliang.net/one/ hao8.htm?036) and (gg.haoliuliang.net/wmwm/ new.htm).<br /><br />Mitigation checklist for system administrators:<br /><br /><ol><li>Make sure all windows machines are up-to-date, use <a href="http://technet.microsoft.com/en-us/wsus/default.aspx">WSUS</a> to distribute patches and critical updates. Use <a class="l" href="http://www.microsoft.com/technet/security/tools/mbsahome.mspx">Microsoft Baseline Security Analyzer (MBSA)</a> to scan for missed patches and vulnerable security settings.</li><li>Make sure all installed applications and softwares are up-to-date, you can use <a href="http://secunia.com/network_software_inspector/">Secunia Network Software Inspector</a> to check for vulnerable softwares. </li><li>Secure the ActiveX settings of Internet Explorer, check here <a href="http://extremesecurity.blogspot.com/2008/03/ie-activex-security-101.html">IE ActiveX security 101</a>. Also check the "<a href="http://isc.sans.org/diary.html?storyid=3931">ActiveX Killpit App</a>" from Tom Liston of Intelguardians.</li><li>Block all http requests to http://www.nihaorr1.com/blah.js [replace blach.js with 1.js]</li><li>Make sure your Antivirus vendor has signatures for W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr; Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN</li></ol>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-64238505620643285532008-03-21T11:43:00.000-07:002008-03-21T12:55:07.434-07:00IE ActiveX Security 101<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNxuR-24UuJpoFlluZacQg8qZTi7wI2NKYzM8HoDmPjz4q5q_3lnt9UnRTHjHeBkD4GT4OJKkIYdXSHktSJqi_OnMHBub2laFcS11GHAbqfKJ4ut544yf4h7vx5r9cZ5e0R3cyf4iFjGaI/s1600-h/ie.jpg"><img id="BLOGGER_PHOTO_ID_5180268994286895378" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 193px; CURSOR: hand; HEIGHT: 190px" height="212" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNxuR-24UuJpoFlluZacQg8qZTi7wI2NKYzM8HoDmPjz4q5q_3lnt9UnRTHjHeBkD4GT4OJKkIYdXSHktSJqi_OnMHBub2laFcS11GHAbqfKJ4ut544yf4h7vx5r9cZ5e0R3cyf4iFjGaI/s320/ie.jpg" width="234" border="0" /></a><br /><br />Now it is the time to open the books and read about how we can achieve a safe browsing experiment in a time when you can’t trust any site you visit on the Internet. If you depend on your antivirus alone to stop all of those invaders. You’ll be another addition to the “<strong>False Sense of Security believers</strong>” List.<br /><br /><br />Recently we’ve faced a lot of aggressive attacks against vulnerable systems, which exploit the following ActiveX vulnerabilities:<br /><br /><br />Baofeng Storm ActiveX<br />Ourgame GLChat ActiveX<br />Qvod Player ActiveX<br />Microsoft RDS.Dataspace ActiveX<br />RealPlayer playlist ActiveX<br />Storm Player ActiveX<br />Microsoft Windows WebViewFolderIcon ActiveX<br />Xunlei Thunder DapPlayer ActiveX<br /><br /><br />Leaving your windows machines unpatched till that time is a shame, besides also running insecure browsers or let me say it better, “Browsers with insecure settings” is a big mistake nowadays where every single malware writer will use this point in his side because the next layer he needs to exploit, is the weak link; <em><strong>humans.</strong></em><br /><br />So as a system admin, you should make sure no user during your watch works with any vulnerable browser. For achieving a good and secure configuration, I’ll show you the recommended IE ActiveX related settings that could leave you insecure if it’s not done the secure way.<br /><br />click to enlarge the image:<br /><br /><br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBirhJOKbd0Na4U1mJ5MYfzBNWTbc0P9M9MSH8voPnkXQBFjRaEqtXFA7XPsBdQNuitcJSilvoUWbNUSVk3RLNKqTBEWdK6JWbIZ-qpPXDltBbFtu_nEk6E98zOGso0kZtO0grxoe_oGHS/s1600-h/ie-2.jpg"><img id="BLOGGER_PHOTO_ID_5180281492641726754" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 367px; CURSOR: hand; HEIGHT: 228px; TEXT-ALIGN: center" height="232" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBirhJOKbd0Na4U1mJ5MYfzBNWTbc0P9M9MSH8voPnkXQBFjRaEqtXFA7XPsBdQNuitcJSilvoUWbNUSVk3RLNKqTBEWdK6JWbIZ-qpPXDltBbFtu_nEk6E98zOGso0kZtO0grxoe_oGHS/s320/ie-2.jpg" width="346" border="0" /></a></p><p> Usually disabling everything will break many features which make browsing as “drinking a glass of bitter lemonade”. Thanks for IE “Trusted Sites security zone”, which as the name says, we use to put the trusted sites inside it and we’ll authorize any script or ActiveX to be downloaded and run. You can use “<a href="http://download.microsoft.com/download/ie5/Utility/1/W9XNT4MeXP/EN-US/pwrtwks.exe">Internet Explorer 5 Power Tweaks Web Accessory</a>” from Microsoft; this tool will add a menu choice "Add to Trusted Zone" to the tools menu of Internet Explorer.<br /></p><p>100% Safe Browsing … is it a dream? What do you think?<br /></p>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-49293452645321460822008-03-17T06:49:00.001-07:002008-03-27T05:27:39.652-07:00IFRAME Attacks - Actions to be taken<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinUSmeJf7z8c8Ds9RRGlxyrUtCKZxpE5c6AKrjrrKzZbbOtEIZWWxXjbjQvtnv5lO_6c_Y6BIeh0BmEtl39c9yLOEyf-1WaFUJhLR5EviNWEbZQM3UN4TQ4SAC0tUVlWsy52tZhHLnPD8B/s1600-h/iframe.jpg"><img id="BLOGGER_PHOTO_ID_5179163134935343554" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinUSmeJf7z8c8Ds9RRGlxyrUtCKZxpE5c6AKrjrrKzZbbOtEIZWWxXjbjQvtnv5lO_6c_Y6BIeh0BmEtl39c9yLOEyf-1WaFUJhLR5EviNWEbZQM3UN4TQ4SAC0tUVlWsy52tZhHLnPD8B/s320/iframe.jpg" border="0" /></a><br /><br /><br />The massive campaign against Internet websites is getting harder to be contained because the huge number of vulnerable websites which are not secured enough to face such kind of attacks. Mass IFRAME attacks against highly ranked sites made it a successful one. So as a system admin you have to raise the security bar in your network to prevent your clients from getting exploited and redirected to the malicious pages on those websites.<br /><br />I've compiled a first-aid list to help you in this situation:<br /><br />- Monitor outgoing DNS requests to the Internet, which bypass your local legitimate DNS server.<br /><br />- Disable ActiveX<br /><br />- Upgrade Internet browsers to latest the versions, IE 8 beta 1 or Firefox 3.<br /><br />- Update the current Anti Virus (also check your Anti Virus server report and track not updating clients and fix their problems) and make sure it can detect Zlob variants.<br /><br />- block clients from reaching the infected domains by using the following techniques:<br /><br /><br /><ul><li>URL filtering software (ex. Websense): block *all* of your clients from reaching malicious and porno sites. Add the new infected by the IFRAME attack to a custom group till they got fixed. Also filter any downloaded executable that contains the keyword “codec” for example, *codec*.exe </li><br /><li>In this case block (porn-popular.com) and all request attempts to download (democodec1292.exe)</li><br /><li>Firewall Rule: block all http/https request to the infected domains. </li><br /><li>DNS redirection: create a DNS zone (call evil-websites) and add the domain records with bogus IP’s, such as 127.0.0.1</li><br /><li>If you already running Snort, use this signature to detect the download of the fake codec executable:<br /><br /><span style="font-size:85%;color:#ff0000;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Likely Zlob variant Binary Requested (democodec1292.exe)"; flow:established,to_server; uricontent:"/democodec1292.exe"; nocase; classtype:trojan-activity; reference:url,http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html; rev:1;) </span></li></ul><p></p><ul><br /><li>patch your windows machines, and track this using WSUS (free) from Microsoft. Don't ever leave any system without the latest updates. </li><br /><li>upgrade the installed softwares to the latest versions; treat them as the operating system patch process. RealPlayer and “Apple QuickTime Real-Time Streaming Protocol vulnerability” recently caused a lot of browser exploitation and got the client redirected to malicious sites. </li><br /><li>keep your eyes on <a href="http://www.malwaredomains.com/">http://www.malwaredomains.com/</a> and add those domains in the FW blacklist or the URL filtering software and be proactive. This will close the door against any infection.</li><br /><li>educate your users, by creating awareness sessions to show them how to evade such social-engineering based attacks. The weak link is the end user; train them to inform IT guys on anything strange while they are browsing, such as asking them to install this xyz antivirus to protect their machines, or that xyz video codec to watch the online video of Paris Hilton!</li></ul>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-19925500916151129532008-03-15T06:09:00.000-07:002008-03-15T06:31:46.891-07:00DNS-redirection techniques<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDL10CGz6nkkhlp7XSp6vEz3LWEPWkGAtDX-rlPMEEF7qVVrElyDlTjS7iNdbRWKJYbe0FSgtRCnypMidlWJ3Qbshz7oam2B8bI1UrpcJ-C1qC8z9TrAXRtXLBnp8Iu1wTURqMvW-b4xOY/s1600-h/access_denied.bmp"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDL10CGz6nkkhlp7XSp6vEz3LWEPWkGAtDX-rlPMEEF7qVVrElyDlTjS7iNdbRWKJYbe0FSgtRCnypMidlWJ3Qbshz7oam2B8bI1UrpcJ-C1qC8z9TrAXRtXLBnp8Iu1wTURqMvW-b4xOY/s320/access_denied.bmp" border="0" alt=""id="BLOGGER_PHOTO_ID_5177955884052947346" /></a><br /><br />We talked previously about malwares fighting and containment techniques, today I’ll talk about an interesting way to prevent internal hosts from reaching malicious websites. <br /><br />Malwares today are more sophisticated, and depend on multi-staged infection, which means that the current code is always updated and replaced by another to add more functions or to use new evasion techniques. <br /><br />To use DNS-redirection we need to know the original problem first. Malware writer’s aim is to infect as much as possible of machines using many ways, such as Spams, Malicious web pages, or P2P infected shares. Spams and malicious web pages use domain names mostly, and obfuscated or numeric URLs. And we know that to reach any web page in the Internet, the browser needs to translate the domain name to IP. <br /><br />To imagine an example, Joe received an e-mail about love cards and he as usual (we need user awareness here folks!) will follow the instructions and open the URL (www.lovecards2008.com) and visit it to download some lovely cards to send them to his girlfriend … but our friend didn’t realized that it’s not a legitimate cards website, but it’s a fake one that provides malicious malwares instead of cards. And at the moment he downloaded an executable faked card Boom! His computer got infected. <br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9UtIUVpjVRvka73bclVzxRSdOEWW17qH-jnyn5F0xJ7VSwGZW6kzM9riMKZ8xI1CJsU2-wg59NJpSPgMrwdKk_RfwEnV656mVNykuERMhMD-4ksHQiiKR5mOIFlHQzUfguOzKCjJcHG5v/s1600-h/dns1.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9UtIUVpjVRvka73bclVzxRSdOEWW17qH-jnyn5F0xJ7VSwGZW6kzM9riMKZ8xI1CJsU2-wg59NJpSPgMrwdKk_RfwEnV656mVNykuERMhMD-4ksHQiiKR5mOIFlHQzUfguOzKCjJcHG5v/s320/dns1.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5177956627082289570" /></a><br />What we can do here to prevent the infection as early as possible? We can use the DNS server to send back “fake and not reachable” replies to the client. Such as the IP of www.lovecards2008.com is (127.0.0.1). This is called the “Loopback Redirection”. With such reply, there is no way to reach this malicious site and this will give “Web site unavailable” error to the user. Good, let it be, we don’t want the user to access any malicious pages from now on. <br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMzg3fdtpQNxDoYbCgeZHM1PoqRf-y8RRIH6F04Stkcrn45ZtKaIc2k9JdXl7ho-P4UCFmnIM8ndxf8NMyA3F6BBfGMjzZAcEalq3mMWvhbLgifbp9sj-FuwcD5EpMACCj4zmCpcA76AX6/s1600-h/dns2.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMzg3fdtpQNxDoYbCgeZHM1PoqRf-y8RRIH6F04Stkcrn45ZtKaIc2k9JdXl7ho-P4UCFmnIM8ndxf8NMyA3F6BBfGMjzZAcEalq3mMWvhbLgifbp9sj-FuwcD5EpMACCj4zmCpcA76AX6/s320/dns2.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5177957881212740018" /></a><br />You can implement such technique using two ways, while getting the same result. Either using the HOSTFILE, by inserting as many entries as you can with fake answers. Or use your internal DNS server (MS DNS or BIND) to create a “Malware Domains Blacklist Zone”. The latest is the best, because you have a centralized place to control name resolutions. <br /><br />This is a cheap way to prevent users from accessing such domains. It’s different from Web sites filtering solutions which depend on a database contains millions of URLs and provide policy-based filtering. Here we use the DNS server, which serves every host in the network.<br /><br />If you want a starting point, visit <a href="http://www.malwaredomains.com">www.malwaredomains.com</a> and download their free blacklists of malicious domains and import them and start prevention.Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-60561493018156756512008-03-03T02:19:00.000-08:002008-04-05T12:38:30.129-07:00Malwares Containment: Quarantine the infected<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2l3ofuX_3WJAbY7tYa7W_jAkyPJImW1juBODi40dKrXs368bJX8WxpIe7JwZg3BHCghgq-1SPUnYYC_C82mCVZ7Pk9nPM_41iR1cqSzMwzy2Txc2tfd6sLanJCb9u79GAtu4jSDf6w80R/s1600-h/quarantine.jpg"><img id="BLOGGER_PHOTO_ID_5173459128166415394" style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 218px; CURSOR: hand; HEIGHT: 306px" height="306" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2l3ofuX_3WJAbY7tYa7W_jAkyPJImW1juBODi40dKrXs368bJX8WxpIe7JwZg3BHCghgq-1SPUnYYC_C82mCVZ7Pk9nPM_41iR1cqSzMwzy2Txc2tfd6sLanJCb9u79GAtu4jSDf6w80R/s320/quarantine.jpg" width="220" border="0" /></a><br /><br /><span style="color:#000000;">We’ll continue today our discussion, by starting with the next step you should do after detecting the malicious traffic in your network. We should isolate infected machines from the rest of the network, the easy way is just unplug the cable and physically disconnect them. Good option, but suppose you got a lot of them, you can use your L3-switch to be a good alliance here. Create a “Quarantine Vlan” to group infected machines and prevent any type of communications from/to these machines. </span><br /></span><br /><span style="color:#000000;"></span><br /><span style="color:#000000;">This Vlan will stop broadcast and scanning for other computers. If creating Vlans is impossible for some reason, switch to plan B, ACLs. ACLs are important to stop/slow down malware propagation in your network. </span><br /><br /><span style="color:#000000;">Take the following Cisco Switch ACL example:</span><br /><span style="color:#ff0000;"><br /></span><span style="color:#ff0000;"></span><span style="color:#ff0000;"><blockquote><p><span style="font-size:85%;"><span style="color:#ff0000;"></span></span></p><p><span style="font-size:85%;"><span style="color:#ff0000;"></span></span></p><p><span style="font-size:85%;"><span style="color:#ff0000;">access-list 101 remark outgoing packet access list<br />access-list 101 permit tcp any any established<br />access-list 101 permit tcp any host [allowed destination] eq %protocol%<br />access-list 101 permit ip any host [insert %host% here]<br />access-list 101 deny tcp any any eq smtp<br />access-list 101 deny tcp any any eq 137<br />access-list 101 deny tcp any any eq 138<br />access-list 101 deny tcp any any eq 445<br />access-list 101 deny udp any any eq netbios-ns<br />access-list 101 deny udp any any eq netbios-dgm<br />access-list 101 deny udp any any eq netbios-ss<br />access-list 101 permit ip any any</span></span></p><span style="color:#000000;">These ACL’s will deny outbound SMTP/SMB/NetBIOS connections to other machines. You should replace [allowed destination] with any host that has to be reached by the infected machines, for example (Antivirus server, WSUS server to get windows patches), and %protocol% with destination port or protocol. [insert %host% here] is the same thing before.<br /><br /><span style="color:#000000;">Click on image to see the full size:</span><br /><br /><p></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizTd_G6K5SQu4bQRtIekQKpEif-NGN2lZZStwj7GtOGFx4-aRwnUofCg9khJ1O28qU3D7ZBHWmSIvpIJBkHg0yZfTeSw0hfHFYXyKvtJ7IPJkELEZO6FFhTrJEI3Dinhc2Yn6u6lj7vmjW/s1600-h/quarantine.gif"><img id="BLOGGER_PHOTO_ID_5173461563412872242" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizTd_G6K5SQu4bQRtIekQKpEif-NGN2lZZStwj7GtOGFx4-aRwnUofCg9khJ1O28qU3D7ZBHWmSIvpIJBkHg0yZfTeSw0hfHFYXyKvtJ7IPJkELEZO6FFhTrJEI3Dinhc2Yn6u6lj7vmjW/s320/quarantine.gif" border="0" /></a><br /><span style="color:#000000;">Isolating infected machines, will give you a lot of points: </span></p><p><span style="color:#000000;">1. Slowing the propagation of the malware from reaching other clean machines.<br />2. Decreasing the broadcast storms.<br />3. Testing disinfection procedures on these machines till you get the virus definitions from the vendor.<br />4. Deploy a honeypot and monitor the malware behavior and try to learn and reverse its actions.<br />5. Malwares today are getting more dynamic and modular by depending on</span> <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2003-011710-3138-99">built-in downloader </a><span style="color:#000000;">to update their code from the mother-ship (server), so we can use this feature to trick the infected machine to download a curing executable.<br />For example, if you sniffed and watched outbound connections from the infected machine targeting another host online to (http://xxx.xxx.xxx.xxx/xyz.exe), this means it’s trying to get something. Simply, hardcode the domain name in the infected machine’s HOSTFILE and redirected it to the honeypot machine or a machine running</span> <a href="http://netcat.sourceforge.net/">Netcat</a> <span style="color:#000000;">and listening to port 80 and see the http request, if it’s an executable, we’ll mimic the server and write a batch file that contains temporary disinfecting procedures like (killing a process, deleting files, stopping services, deleting registry keys, or even installing patches), then convert the batch file to .exe and place it in the correct path on the web server and wait. This technique has been before using</span> <a href="http://www.honeyd.org/">honeyd</a> <span style="color:#000000;">to fight worms</span> <span style="color:#000000;">(</span><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99">Blaster</a><span style="color:#000000;">,</span> <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2004-050116-1831-99">Sasser</a><span style="color:#000000;">)</span><span style="color:#000000;">.<br /></span><br /></p><br /></blockquote><br /></span></span><span style="color:#ff0000;"><span style="color:#000000;"></span></span>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0tag:blogger.com,1999:blog-4836375110769205076.post-55627883919565934222008-02-24T11:41:00.000-08:002008-02-25T00:46:20.106-08:00Malwares Containment: Level II<a href="http://ucdavismagazine.ucdavis.edu/issues/fall05/graphics/MalwareGuys.jpg"><img style="FLOAT: left; MARGIN: 0px 10px 10px 0px; WIDTH: 253px; CURSOR: hand; HEIGHT: 264px" height="246" alt="" src="http://ucdavismagazine.ucdavis.edu/issues/fall05/graphics/MalwareGuys.jpg" border="0" /></a><br /><div><br /><div></div><div> </div><div> </div><div>Once we monitored the network traffic and observed anything suspicious, you should follow some recommendations to keep your analysis organized and fruity. See here my favorite procedures when it comes to malicious traffic analysis: </div><div><br />· Use the sniffer to see the top-senders vs. destination host/destination port: here everything starts by knowing who is talking to whom and using which protocols. It’s easy to observe infected hosts by watching the “changed” behavior of them. From higher number of random generated ARP requests “ARP Storm” to DNS resolutions requests. And high SMTP traffic is another story.<br />see the ARP broadcast using a sniffer:<br /><br /></div><img style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 306px; CURSOR: hand; TEXT-ALIGN: center" height="209" alt="" src="http://www.colasoft.net/images/howto/arp_attack_pic5.gif" border="0" /><br /><div><br />· Use the sniffer to see the full session data and take a look for any clues of what’s being sent between hosts. For example, HTTP packet could show you the requests to download files / upload files / bot-to-mothership traffic …etc. Every captured packet will be valuable to the analysis. This is like collecting the pieces of a crashed plane. </div><br /><div><br />· If you got any unique pattern that keeps repeating whenever compromised hosts generate traffic, use this pattern as a “Sniffing filter” to make sniffer more specific and faster.</div><div><br />· Sniffers can send notifications: e-mail, page, snmp, or sms for anything shows up on the radar. For instance, if any host makes this specific http request, e-mail me! </div><div><br />· Getting a unique pattern will be the first step to write an IDS rule, or even a firewall rule. IDS rules writers depend on sniffers to get patterns and let the IDS look for them in a specific location in the packet and fire an alarm once it triggers.</div><div><br />· Save the sniffed packets and keep them for offline analysis, or even to share with other analysts on the Internet. Use “.cap”, “.tcpdump” as they are supported by most sniffers nowadays.</div><div><br />Here is a list of my recommended sniffers to be used:</div><div><br />- <a href="http://www.wireshark.org/">Wireshark</a><br />- <a href="http://www.wildpackets.com/products/demos">WildPackets OmniPeek</a><br />- <a href="http://www.tcpdump.org/">TcpDump</a></div><div><br />Ok, enough talking about sniffers here. I will move on to another important player in the game, the IDS. It’s good to keep a running IDS all the time to detect what sniffers can’t see and observe. Because IDS’s have analysis engines, correlation engines, signatures, ability to reassemble packets and sessions. When I say this, I mean the IDS should be deployed in a way that can watch the IN/OUT of every network point (gatway, wifi, lans). IDS deployment should be done properly to make the IDS able to sniff and inspect every single packet in your network. Because IDS’s are basically sniffers, with additional engines and use signatures to detect attacks. So if your network contains switches, you should configure them to allow the SPAN/Monitoring port that will allow your IDS to sniff all of the traffic in your switch. </div><div><br />Using IDS to detect “in-the-wild” malwares depends on many factors: </div><div><br />- Are the signatures up-to-date to detect the latest malwares?<br />- Are they “generic” or “specific” signatures?<br />- Is the IDS deployed at the critical IN/OUT points inside your network? </div><div><br />To mention an example here, using Snort IDS (If you are in <a href="https://lists.snort.org/mailman/listinfo/kuwait-sug">Kuwait – visit the Kuwait-sug</a>) is a good start, since it’s free, sophisticated, and community supported. Installation & Deployment of Snort is out of the scope, and it has its own tutorial later. </div><div><br />Snort depends on signatures to detect attacks/malwares, for example see the following signature to detect one variant of the latest dominating botnet worm Storm (Later I’ll talk about it): </div><div><br /><span style="color:#ff0000;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe)"; flow:established,to_server; uricontent:"/with_love.exe"; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/; sid:2007761; rev:2;)<br /></span><br />From the signature, it’s clear that (with_love.exe) is the Storm variant executable file, and usually will be downloaded using HTTP protocol. </div><div><br />I received another Storm variant in my e-mail, using the name (Valentine.exe). So we can modify the previous signature to detect it: </div><div><br /><span style="color:#ff0000;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (Valentine.exe)"; flow:established,to_server; uricontent:"/valentine.exe"; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/; sid:2007761; rev:2;)<br /><br /></span>Another example is detecting bots outbound communication to the Command & Control server: </div><div><br /><span style="color:#ff0000;">alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1)”; flow:established; dsize:>1000; content:”00 00 00 28 0a 00 00 02 0fService Pack 100”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007578; rev:1;) </span></div><span style="color:#ff0000;"></span><div><br />Watch the hex data after content; it is the traffic pattern which we get it while we sniff the bot traffic to the “Mother-ship – a.k.a C&C” </div><div><br />Anyway, these are just few examples to show you the great detection and visibility of malwares in your network. </div><div align="left"><br />To install the IDS, you should deploy it here: </div><div align="left"><br />- Between the Internet router and your network: Installing the IDS at this point will give “Full Visibility” of the inbound/outbound traffic of the network. To achieve this point you should use a “Network TAP”.<br />- Inside the DMZ: to watch the attacks those target your critical servers in the DMZ. Also, any compromised server will be detected faster than manual inspection.<br />- Inside the LAN: the main battlefield between malwares and system admins. You should use the SPAN port in your switches to make IDS visibility better, because switches by design don’t broadcast traffic, it depends on unicast communications. SPAN Port duplicates the traffic from the Lan ports to the port which the IDS is connected to. </div><div align="left"></div><div align="left">see the way a sniffer/IDS is connected to a SPAN port:</div><div align="left"><br /></div><a href="http://www.cisco.com/warp/public/473/41d.gif"><img style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 400px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://www.cisco.com/warp/public/473/41d.gif" border="0" /></a> To be continued ...<br /><br /><br /><div align="left"></div></div>Ayed Alqartahttp://www.blogger.com/profile/05283712627534691171noreply@blogger.com0