Friday, April 25, 2008

Malware Analysis Tools and Techniques


Apart from what guidelines have been published in various books and articles. My this post will summarize the overall manual and automated techniques to simulate and test the samples of malwares collected and their behavioral activities. To be noted that a "Malware" could be delivered in the form of trojan, virus or worm.

Manual Toolset
These tools require the collaboration of other toolset used in conjunction, to support depth analysis of a malware.

Foundstone BINTEXT
Malzilla (Analyzing Web-Based Malwares - JavaScript/iFrame)
HTTP Proxy Debuggers (Paros, WebScarab)
Nepenthes
iDefense SysAnalyzer, HookExplorer and MAP (Malcode Analyst Pack)
RegShot
SysInternals Tools
PEiD Tool (Very important to detect packers/compilers/cryptors)
UPX
FireBug
OllyDbg
WinDbg
GDB GNU (Linux)
OllyDump
OllyScript
SoftICE (Reversing)
IDA Pro (Reversing)
Salamander Decompiler (.NET Applications)
Reflector.Net Tool
DaFixer's DeDe (Delphi)
Backerstreet.com REC
HeavenTools PE Explorer
HijackThis

Automated Online Tools
These online submission services automatically analyze the malware in a very restricted environment(simulate) and record their activites and produce results on the basis of various Anti-Virus/Malware detection.

CWSandbox.org
ThreatExpert.com
VirusScan.jotti.org
Norman.com/microsites/nsic/
Malwareinfo.org
VirusTotal.com
VirScan.org

Wednesday, April 16, 2008

Digital Forensics: An Investigator Toolkit


A world of computer forensics has extremely gone under rapid changes for laws and regulations concerning the professionals conducting investigations in day to day basis. Inputting strict jurisdiction for processing the corporate crime investigation has opened new debates in between attackers world (more advanced malicious adversary making it harder to get track down applying anti-forensic techniques) and forensics investigators. As I have mentioned previously to post forensic related tools under their defined categories for the ease of forensics practices. Below is a list of tools that can be used by a forensics examiner during the investigation.

File Analysis
SurfRecon LE rapid image analysis tool
truss
ltrace
xtrace
ktrace
Strings (Download the program strings.exe from http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx)
Valgrind
Galleta
Pasco (by Foundstone)
Rifiuti
yim2text
InCtrl5
Hachoir
UnxUtils
Cygwin
GnuWin32
P2P Marshal

Disk Analysis Tools
PC-3000
LINReS
SMART (by ASR Data)
Macintosh Forensic Software (BlackBag Technologies, Inc.)
MacForensicsLab
EMail Detective - Forensic Software Tool
EnCase (by Guidance Software) - Most Recommended
Sysinternals Monitoring Tools (Regmon,Filemon and more.)
FBI tool (Nuix Pty Ltd)
Forensic Toolkit (FTK) (by AccessData)
ILook Investigator (Elliot Spencer and U.S. Dept of Treasury)
OnLineDFS
Safeback
X-Ways Forensics
Prodiscover
AFFLIB
Autopsy
foremost
FTimes
Scalpel
Sleuthkit
Zeitline (Forensic timeline editor)
P2 Enterprise Edition (by Paraben)
LiveWire Investigator 2008
Pathways

Metadata Extraction Tools
antiword
catdoc
PuriFile
jhead
laola
vinetto
word2x
wvWare
xpdf
Metadata Assistant
Hachoir-metadata (Hachoir project)

Memory Imaging Tools
Firewire (http://www.storm.net.nz/projects/16)
Tribble PCI Card
CoPilot
Windows Memory Forensic Toolkit (WMFT)
Idetect (Linux)
dd (Linux)

PDA Forensics
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics
BitPIM
DataPilot Secure View
GSM .XRY
Fernico ZRT
ForensicMobile
MOBILedit
Oxygen PM II
Paraben's Device Seizure
TULP2G

SIM Card Forensics
ForensicSIM
SIMCon

Preservation Tools
Paraben StrongHold Bag
Paraben StrongHold Tent

Hex Editors
biew
hexdump
WinHex
Hex Workshop

Forensics Live CDs
Helix
SNARL
DEFT Linux
Knoppix STD
Recovery Is Possible - RIP from Tux.org
Stagos FSE

Other Essential Tools
VMware Player
VMware Server
Webtracer
The Onion Router (TOR)
Live View
Parallels VM
Microsoft Virtual PC


Being an excellent investigator it is however extraneous to follow-up beyond these toolset and perform some manual operations on different aspects/dimensions of examination. Keeping in mind those of anti-forensics techniques used by attacker to aid towards hiding their tracks could be more beneficial. As this is a known fact that to prosecute the right person, one should think wisely as of what malicious adversary had done step by step. Remember, in any case you should not modify or alter the original preserved evidence.




En el mundo de la informática forense ocurren cambios muy rápidos debido a las leyes y regulaciones concernientes a la conducta de los profesionales que llevan la investigación día a día. Entrando en la jurisdicción del procesamiento de una investigación del crimen corporativo, se han abierto nuevos debates entre el mundo de los atacantes y el de los investigadores forenses. Como se dijo antes en unos de nuestros post, las herramientas según su categoría para hacer más fácil la practica forense.
Debajo está una lista de las herramientas que se pueden utilizar durante la investigación.

Analisis de archivos:
SurfRecon LE
truss
ltrace
xtrace
ktrace
Strings
Valgrind
Galleta
Pasco (by Foundstone)
Rifiuti
yim2text
InCtrl5
Hachoir
UnxUtils
Cygwin
GnuWin32
P2P Marshal

Analisis de Discos:
PC-3000
LINReS
SMART (by ASR Data)
Macintosh Forensic Software (BlackBag Technologies, Inc.)
MacForensicsLab
EMail Detective - Forensic Software Tool
EnCase (by Guidance Software) - Most Recommended
Sysinternals Monitoring Tools (Regmon,Filemon and more.)
FBI tool (Nuix Pty Ltd)
Forensic Toolkit (FTK) (by AccessData)
ILook Investigator (Elliot Spencer and U.S. Dept of Treasury)
OnLineDFS
Safeback
X-Ways Forensics
Prodiscover
AFFLIB
Autopsy
foremost
FTimes
Scalpel
Sleuthkit
Zeitline (Forensic timeline editor)
P2 Enterprise Edition (by Paraben)
LiveWire Investigator 2008
Pathways

Extraccion de Metadata:
antiword
catdoc
PuriFile
jhead
laola
vinetto
word2x
wvWare
xpdf
Metadata Assistant
Hachoir-metadata (Hachoir project)

Herramientas para crear imagenes de la Memoria:
Firewire (http://www.storm.net.nz/projects/16)
Tribble PCI Card
CoPilot
Windows Memory Forensic Toolkit (WMFT)
Idetect (Linux)
dd (Linux)

Herramientas para PDA:
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Herramientas para celulares:
BitPIM
DataPilot Secure View
GSM .XRY
Fernico ZRT
ForensicMobile
MOBILedit
Oxygen PM II
Paraben's Device Seizure
TULP2G

Herramientas para SIM Card:
ForensicSIM
SIMCon

Herramientas para Preservacion:
Paraben StrongHold Bag
Paraben StrongHold Tent

Editores Hex:
biew
hexdump
WinHex
Hex Workshop

Live CDs:
Helix
SNARL
DEFT Linux
Knoppix STD
Recovery Is Possible - RIP from Tux.org
Stagos FSE

Y otras herramientas esenciales:
VMware Player
VMware Server
Webtracer
The Onion Router (TOR)
Live View
Parallels VM
Microsoft Virtual PC

Debes mantener en mente que existen técnicas anti-forenses utilizadas por los atacantes para ayudar a ocultarse y ser más beneficioso para ellos. Como este es un hecho conocido y para atrapar a la persona correcta uno debe pensar como ella, tratando de recrear paso por paso. Recuerda, en ningún caso debes modificar o alterar la data original.

Traducido por: Rafael, Alfredo, Ali (www.ethical-hacker.net)

Sunday, April 13, 2008

Initial Steps in Computer Forensics

Few weeks back, I followed SecurityFocus mailings and response to one of my colleagues emails concerning "Computer Forensics" investigation. Here it is what I defined him initally for copying the HDD to preserve the master record of an evidence. In computer forensics, it is a first step to aquire/save the evidence from any modifications made either by investigator itself or any other entity. The best way of dealing with such cases is:

1. Power Down the system (if applicable for removable storage media)
2. Remove any portable storage media and look if you can remove HDD as well.
3. Record necessary BIOS information.
4. Make an image of the storage media.
- dd (Under Linux Platform)
- EnCase (For Win32)
- SMART from ASRData
5. Verify the integrity of Data collected using MD5 Checksum tool.

Just be sure about the proper documents and legal procedures to be followed under any investigation you are on. By following the steps, you are assuring the Chain of Custody for the required evidence without any modifications noted.

Some useful Metadata Analyzer tools can help in finding hidden "meta data" inside number of types of documents(PDF, DOC, XLS etc)

-PuriFile (http://www.purifile.com)
-Inforenz Forager (http://www.inforenz.com/software/index.html)
-Metadata Analysis and cleanup (http://www.payneconsulting.com)
-wwWare (http://wvware.sourceforge.net)

I will be posting the analog of Forensics Analysis Tools same as what I did for "Penetration Testing Framework" very soon, so keep your eyes on it.



Semanas atras, siguiendo la lista de SecurityFocus y en respuesta a un email de un colega concerniente a investigación de “Computacion Forense”. Aquí es lo que el define inicialmente como copiar el disco duro para conservar el registro inicial de una evidencia. En la computación forense, el primer paso es adquirir (hacer una copia) y guardar la evidencia (el hdd original) para evitar cualquiera modificación que pudiera hacer después el investigador. La mejor manera de hace esto es:

1. Apagar el sistema (Si aplica remover los dispositivos extraíbles)
2. Remueve cualquier dispositivo extraíble y mira si puedes remover el disco duro también
3. Registra la información necesaria del BIOS.
4. Realiza una imagen de los dispositivos.
- dd (Linux)
- EnCase (Win32)
- SMART de ASRData
5. Verifica la integridad de la data usando una herramienta de chequeo MD5.

Para estar seguro de la documentación adecuada y procedimientos legales que sigas bajo una investigación te necesitas asegurar la cadena de custodia y tomar nota de cualquiera modificación que se realice.

Algunas herramientas analizadoras de Metadata pueden ayudarte a buscar “meta data” escondida dentro de varios tipos de documentos (PDF, DOC, XLS etc)

-PuriFile (http://www.purifile.com)
-Inforenz Forager (http://www.inforenz.com/software/index.html)
-Metadata Analysis and cleanup (http://www.payneconsulting.com)
-wwWare (http://wvware.sourceforge.net)

Estaremos posteando la analogía del análisis forense muy pronto, está pendiente…

Traducido por: Rafael, Alfredo, Ali (www.ethical-hacker.net)

Monday, April 7, 2008

On the fly: Web Application Security Auditing


If anybody might have heard about the FireCAT (Firefox Auditing Tools - my favorite) before, then this article will just extract some of the most useful and attainable tools that are must to use while auditing a web application directly through your browser interaction. Following the standard Web Application Pen-Testing methods and those tools provided under FireCAT will evaluate security level of most web applications.

An instant use of FireCAT Tools add a wide range of extensions to your browser to follow-up from Top-to-Bottom to find as much information as possible about your target. Under my experience some of the useful tools are mention below:

Information Gathering
ActiveWhois, DomainFinder, RouterStatus(more useful if you're local/remote network admin), Header Spy, Header Monitor, People Search, Who is this Person, Google Advanced Dorks, SpiderZilla, Google Site Indexer(very useful).

Web Relay/Proxy Auditors
SwitchProxy, FoxyProxy

Security Auditing
Tamper Data(tampering with live web-forms data), LiveHTTPHeaders, User Agent Switcher, Add'n'Edit Cookies, Cookies Swap, AllCookies, DOM Inspector(specifically for developers), Chickenfoot, Poster, XSS-Me and SQL Inject-Me(excellent toolset).

Network Auditing Utilities
FireFTP, FireKeeper(WIDS) ffsniff, Oracle OraDB Error Code Look-up, SQL Connection, MySQL Client, JiWire(Wi-Fi)

Miscellaneous
GreaseMonkey, File Encrypter, Net-force Tools, Refspoof, MDHash Tool, Malware Scanner(Dr.Web), Logs(Enhanced History Manager)

While using any combinition of these tools make a life easier for the Pen-Tester to look for specific vulnerabilities through fuzzing techniques. Although the complete information on extensions available under FireCAT 1.3 release is specified in the screenshot above.

Friday, April 4, 2008

Website Defacements, A Game or Political Agenda? Decide yourself


A fast moving technological grounds, the latest discoveries of new vulnerabilities and the development of 0-day exploit (PoC - Proof of Exploit Code) has proven for years to be the most sophisticated arena on the internet underground. As show in the Press, Media and various Publications that those of hackers or crackers involved in illegal activities get down by U.S marshals or other federal authorities on day to day basis. On the other hand, these federal agents (e.g FBI or Interpol) in turn give leniency to those caught hackers/cracker to help them to invade more into real gang behind those criminals.
(Ref. TJX Data Breach late 2007)

Far from the world's open views about Hacker 'as a computer guru' or 'a cracker' who uses his computer related skills to carried intentional loss to an organization, it is bit clear that some of these activities are being carried out for malicious and non-malicious intents. Having look into one of the famous archived defacements proved out with statistics on various basis,
(Zone-H.org - Statistics report 2005-2007)

From a given report, it is much easier to analyze the specific attack components as
a weakest link in these massive defacements. For instance,
WebServer Technologies: (Apache, IIS)
Operating Systems: (Linux, Windows2003)...and more... as shown in the screenshots.



The main difference which has been identified is a massived dropped down in defacements of Windows-based severs which is now turned back on Linux servers. It is because late in 2003-2004 when most of internet companies and e-Business organizations have decided to switch to Linux OS for their flexibility and security while transacting over the internet. But still if we look into "Top Attack Methods" applied for the last 3 years involved the very first "Misconfiguration". This is the reason that most of system administrators deployed the company's network infrastructure insecurely and push themselves with default installation procedures which turn out BLACKDAY to them when a defacement has been successful. From Web Application's security view, known attack vectors include SQL injection, XSS (Cross-site scripting attacks), File Inclusion attacks (LFI/RFI) and other application controls like authentication, integrity of transaction (eCommerce etc.) and confidentiality.

Getting into real world of defacers gave an insight look of terrible information warfare among various group of hackers. Some of them who hack for fame, some as political activists and some for fun.
(Ref. Video - "Cyberwars" at video.google.com)

What's the reality behind hacking into Pentagon? (U.S Trade secrets or more...) But why they hack them? It is a question remained unanswered for years. As described by media, this could be a cross-border Terrorism issue which lead into facts of cracking the Government systems to get secret information. As shown in above video in Discovery Channel "A 19-year
old boy from Malaysia claim to hold the most dangerous virus still operating under lab mode" iDefense has clearly sighted the dangers of such attack could cause billions of computers shutdown within a matter of seconds.

"This is this thing keeping everyones lungs and lips locked, it is called fear and its seeing a great renaissance."
- The Dresden Dolls

Wednesday, April 2, 2008

Network Penetration Testing Framework: From A-to-Z

A lean towards security assessment or penetration testing starts with numerous steps following number of different or relative operations under each of them. Following are the major steps that would lead into the depth security analysis on the target host or network being penetrated successfully from Information Gathering to Exploitation.

-Information Gathering or Footprinting
(Public database (whois), Netcraft, Telephone directories, Physical Locations, Blogs, Newsgroups)

-
Network Scanning
(Nmap, Unicorn Scan, Scanrand, Superscan)

-
Enumeration & Service Identification
(Netcat, DumpSec, NBTScan, DNS Zone Transfers (nslookup), p0f, NetE, SNMPWalk)

-
Password Cracking
(LC5 (LM/NTLM Hashes), LCP Tool, Cain and Abel (Multi-cracking tool), Passcracking.com (MD5, SHA1, MySQL), THC-Hydra)

-
Vulnerability Assessment
(Tenable Nessus, NeXpose, QualysGaurd, X-Scan, Shadow Security Scanner(SSS), SARA, SAINT, ISS Scanner, eEye Retina, Matta Colossus)

-
Exploitation & Privilege Escalation
(Metasploit Framework, InGuma Toolkit, *nix Local Root Exploits-http://www.linuxrootkit.cn/localroot/, WebShells(like c99/r57shell for PHP and others for ASP,JSP,ASPX,PL) including web-based backdoors, IIS/Apache based privilege escalation tools etc.)

-
Maintaining Access
Rootkits (AFXRootkit, AphexRootkit, FURootkit, hxdef100r, Nuclear-Rootkit, MBR Rootkits)
Trojans (Shark, Nuclear RAT, ProRat, Poison Ivy, Bifrost)
NTFS ADS (Alternative Data Streams to hide data inside another file)
Steganography (Mp3Stego, ImageHide, Camera/Shy)

-
Covering Tracks
(AuditPool, Evidence Eliminator, WinZapper)

NOTE:
Apart from assisting yourself with these tools and their techniques in your labs and understanding their procedures and usage can evaluate a successful penetration test against your chosen target. Beside these tools, there are number of other security auditing tools exists, mentioning all of them is far away from blogging them. But to name some of those
in their relevant categories worth looking:

-
Static Code Analysis
(FindBugs, RATS, CodeSecure, Coverity Prevent, Pixy, SWAAT, MZTools, Fortify, Ounce, Parasoft, Sprajax)

-
Fuzzing Tools
(SPIKE, Sulley, PROTOS, WSFuzzer, Codenomicon, Peach, beSTORM, EFS, ISIC, zzuf, Scratch, LXAPI, antiparser, FileFuzz)

-
Advanced Automated Exploitation
(ImmunitySec Canvas, Argeniss 0day, CoreImpact, GLEG VulnDisco)

-
Web Application & Database PenTesting Tools
(Acunetix Scanner, Watchfire Appscan(IBM), SPI Dynamics WebInspect(HP), NGSSQuirreL, AppDetectivePro, Typhon III, Paros Proxy, BurpSuite, Cenzic Hailstorm, WebScarab, Wapiti, Nikto, w3af)

-
Penetration Testing Methodologies and Assessment Frameworks
(OSSTMM, ISSAF, VulnerabilityAssessment.co.uk)


Vulnerabilities Database Online:

SecurityFocus (http://www.securityfocus.com)
milw0rm (http://www.milw0rm.com)
Packet Storm (http://www.packetstormsecurity.org)
FrSIRT (http://www.frsirt.com)
MITRE Corporation CVE (http://cve.mitre.org)
NIST National Vulnerability Database (http://nvd.nist.gov)
ISS X-Force (http://xforce.iss.net)
CERT vulnerability notes (http://www.kb.cert.org/vuls)




Pruebas de Penetración: De la "A" a la "Z"



Una vía hacia la evaluación de seguridad o la prueba de penetración se inicia con numerosos pasos, siguiendo un número de diferentes operaciones o relativa relación con cada uno de ellos. Los siguientes, son los principales pasos que conduzcan a fondo en el análisis de la seguridad en el blanco o en la red a ser penetrada con éxito desde la obtención de Información a la explotación.

-Obtención de la Información o Footprinting
(Public database (whois), Netcraft, Telephone directories, Physical Locations, Blogs, Newsgroups)

-Escaneando la Network
(Nmap, Unicorn Scan, Scanrand, Superscan)

-Enumeración & Identificación de Servicios
(Netcat, DumpSec, NBTScan, DNS Zone Transfers (nslookup), p0f, NetE, SNMPWalk)

-Password Cracking
(LC5 (LM/NTLM Hashes), LCP Tool, Cain and Abel (Multi-cracking tool), Passcracking.com (MD5, SHA1, MySQL), THC-Hydra)

-Evaluación de Vulnerabilidades
(Tenable Nessus, NeXpose, QualysGaurd, X-Scan, Shadow Security Scanner(SSS), SARA, SAINT, ISS Scanner, eEye Retina, Matta Colossus)

-Explotación & Escalando Privilegios
(Metasploit Framework, InGuma Toolkit, *nix Local Root Exploits-http://www.linuxrootkit.cn/localroot/, WebShells(like c99/r57shell for PHP and others for ASP,JSP,ASPX,PL) including web-based backdoors, IIS/Apache based privilege escalation tools etc.)

-Manteniendo el Acceso
Rootkits (AFXRootkit, AphexRootkit, FURootkit, hxdef100r, Nuclear-Rootkit, MBR Rootkits)
Trojans (Shark, Nuclear RAT, ProRat, Poison Ivy, Bifrost)
NTFS ADS (Alternative Data Streams to hide data inside another file)
Steganography (Mp3Stego, ImageHide, Camera/Shy)

-Cubriendo Rastros
(AuditPool, Evidence Eliminator, WinZapper)

NOTA:
Además de ayudar con estas herramientas y sus técnicas en tu laboratorio y la comprensión de sus procedimientos y el uso, puede evaluar el éxito de la prueba de penetración en su destino elegido. Además de estas herramientas, hay otra serie de herramientas de auditoría de seguridad que existen, mencionar todas ellas está muy lejos. Sin embargo, nombre de algunas de esas en sus correspondientes categorías, vale la pena analizar:

-Análisis de Código
(FindBugs, RATS, CodeSecure, Coverity Prevent, Pixy, SWAAT, MZTools, Fortify, Ounce, Parasoft, Sprajax)

-Herramientas para Fuzzing
(SPIKE, Sulley, PROTOS, WSFuzzer, Codenomicon, Peach, beSTORM, EFS, ISIC, zzuf, Scratch, LXAPI, antiparser, FileFuzz)

-Explotación Automática Avanzada
(ImmunitySec Canvas, Argeniss 0day, CoreImpact, GLEG VulnDisco)

-Herramientas para Prueba de penetración de aplicaciones Web & Base de Datos
(Acunetix Scanner, Watchfire Appscan(IBM), SPI Dynamics WebInspect(HP), NGSSQuirreL, AppDetectivePro, Typhon III, Paros Proxy, BurpSuite, Cenzic Hailstorm, WebScarab, Wapiti, Nikto, w3af)

-Metodologías de Penetración y Evaluación
(OSSTMM, ISSAF, VulnerabilityAssessment.co.uk)

DB de Vulnerabilidades Online:
SecurityFocus (http://www.securityfocus.com)
milw0rm (http://www.milw0rm.com)
Packet Storm (http://www.packetstormsecurity.org)
FrSIRT (http://www.frsirt.com)
MITRE Corporation CVE (http://cve.mitre.org)
NIST National Vulnerability Database (http://nvd.nist.gov)
ISS X-Force (http://xforce.iss.net)
CERT vulnerability notes (http://www.kb.cert.org/vuls)



Translated by: Rafael M and Alfredo G.