Many people keep up on their Windows Patches which is a good thing. If you don't, shame on you! You should. It's easy, just turn on Automatic Updates located in your control panel of your Windows operating system.
Here is something you might not have known, a lot of the the malware coming out these days is targeting vulnerabilities in 3rd party applications such as Adobe, Java, Chrome etc. How often do you update these applications?
Agreed that it's a pain to update each individual application you may have. Enter Secunia's Personal Software Inspector (PSI). This is a free application that will let you know when you have programs that have known vulnerabilities or patches available. It will also assist you in getting all of your patches for each program.
They also have an online version called Online Software Inspector, but this one covers less applications than the PSI. I would recommend installing the PSI and give it a try. It's highly important to keep ALL of your applications up to date, not just the Windows applications!
Sunday, October 24, 2010
Friday, October 22, 2010
Interesting DNS results
Most of you have probably heard of Wikipedia. If not, where you been? Under a rock? I saw a demo the other day of something rather interesting that they were doing. Aparently, you can look up quick references from WikiPedia by using DNS tools such as NSLOOKUP and DIG. All you need to do is specify what you want to look up followed by .wp.dg.cx. Here are a few examples with their output:
With DIG (looking up dogs):
dig txt dogs.wp.dg.cx
;; QUESTION SECTION:
;dogs.wp.dg.cx. IN TXT
;; ANSWER SECTION:
dogs.wp.dg.cx. 86400 IN TXT "The dog (Canis lupus familiaris) is a domesticated subspecies of the gray wolf, a member of the Canidae family of the order Carnivora. The term is used for both feral and pet varieties. The domestic dog has been one of the most widely kept working and com" "panion animals in human history. http://en.wikipedia.org/wiki/Dog"
With NSLOOKUP (looking up Cats):
nslookup -querytype=txt cats.wp.dg.cx
Non-authoritative answer:
cats.wp.dg.cx text =
"The cat (Felis catus), also known as the domestic cat or house cat to distinguish it from other felines and felids, is a small predatory carnivorous species of crepuscular mammal that is valued by humans for its companionship and its ability to hunt vermi" "n, snakes, scorpions, and other unwanted household pests. It has been associated with humans for at least 9,500 years... http://a.vu/w:Cat"
I'm not sure how they are doing it yet, but it's a geeky little feature that I thought I would share :). You do need to specify that you want TXT records only. You do that by specifying txt in your DIG command or -querytype=txt in your NSLOOKUP command if you are typing it all on one line. If you use interactive NSLOOKUP you should use set type=txt.
With DIG (looking up dogs):
dig txt dogs.wp.dg.cx
;; QUESTION SECTION:
;dogs.wp.dg.cx. IN TXT
;; ANSWER SECTION:
dogs.wp.dg.cx. 86400 IN TXT "The dog (Canis lupus familiaris) is a domesticated subspecies of the gray wolf, a member of the Canidae family of the order Carnivora. The term is used for both feral and pet varieties. The domestic dog has been one of the most widely kept working and com" "panion animals in human history. http://en.wikipedia.org/wiki/Dog"
With NSLOOKUP (looking up Cats):
nslookup -querytype=txt cats.wp.dg.cx
Non-authoritative answer:
cats.wp.dg.cx text =
"The cat (Felis catus), also known as the domestic cat or house cat to distinguish it from other felines and felids, is a small predatory carnivorous species of crepuscular mammal that is valued by humans for its companionship and its ability to hunt vermi" "n, snakes, scorpions, and other unwanted household pests. It has been associated with humans for at least 9,500 years... http://a.vu/w:Cat"
I'm not sure how they are doing it yet, but it's a geeky little feature that I thought I would share :). You do need to specify that you want TXT records only. You do that by specifying txt in your DIG command or -querytype=txt in your NSLOOKUP command if you are typing it all on one line. If you use interactive NSLOOKUP you should use set type=txt.
Wednesday, October 20, 2010
WinRM
What is it? Well, it appears that it is a way to manage Windows systems over HTTP or HTTPS. This just sounds like a bad idea to me! I haven't looked much into this yet, so I cannot say it is definitely a bad idea just yet. So it seems I can get system information remotely to include disk information, process information, start or stop services or make system changes remotely.
So, why would this be a bad idea? Well first of all it supports HTTPS which is a secure web protocol. That's a good thing right? Doesn't that take away some of the problem? NO! Now an attacker has secure communications to your workstations! This is going to bypass your network security defenses, unless of course you are using some sort of SSL man in the middle which allows you to see into encrypted sessions. Since most are not doing that, this is a serious risk.
Think of it this way. In my last post I was discussing how I was attempting to bypass application whitelisting by attempting to provide a valid signature which would be trusted on such a system. Why would I do that now if I can use WinRM which is probably not only signed my Microsoft, but it's a Microsoft built in tool (on Vista and above). Of course this tool is going to be trusted. Now it's even easier to control your system without using these evading techniques.
Expect to see more from me on this. I'm going to continue to test it out and see how far one can actually go with this technology.
So, why would this be a bad idea? Well first of all it supports HTTPS which is a secure web protocol. That's a good thing right? Doesn't that take away some of the problem? NO! Now an attacker has secure communications to your workstations! This is going to bypass your network security defenses, unless of course you are using some sort of SSL man in the middle which allows you to see into encrypted sessions. Since most are not doing that, this is a serious risk.
Think of it this way. In my last post I was discussing how I was attempting to bypass application whitelisting by attempting to provide a valid signature which would be trusted on such a system. Why would I do that now if I can use WinRM which is probably not only signed my Microsoft, but it's a Microsoft built in tool (on Vista and above). Of course this tool is going to be trusted. Now it's even easier to control your system without using these evading techniques.
Expect to see more from me on this. I'm going to continue to test it out and see how far one can actually go with this technology.
Sunday, October 17, 2010
New leaf on blogging
OK. I'm sorry it's been so long. It is harder to keep up with blogging than I thought. I think I have a new plan. I tend to take at least 15 minutes to learn something new in computers, probably more computer security than just computers, every day. What I plan to do is just post a synopsis of what I learned each day. That way I can share what I am learning and attempt to solidify the concept in my mind as well. So this will be my first.
The first thing I'd like to announce is a second blog that I now have to keep up with. http://internetopenurla.blogspot.com/. On that blog we will basically be taking malware samples from the wild that we have come across or people have submitted. We will reverse engineer the malware step by step and show how we do it. This will help people learn common techniques that are used to find out what malicious software is doing and thus how to stop it. We plan to post there once a month. You can follow the updates on Twitter @inetopenurla.
So on to the regular schedule program. What did I learn today? Glad you asked.
I have been looking at ways to get around application whitelisting programs such as Bit9 or Microsoft's AppLocker. For those who may not know, application whitelisting is a technique to state that you only want to allow certain applications that you know to be good. All other applications will not run because they are not approved. Now you can approve applications in a number of ways. You can approve it by a digital signature of the publisher of the application (i.e. Microsoft), you can allow files to run based on their hash value. A hash value is a mathematical computation of the code so even if the name changes or if someone renames other files to it, they are still seen as different. You can also allow applications based on where they are installed on your system (i.e. C:\Program Files or C:\Windows\System32).
So I have been trying to see how I can get around this. It turns out that Microsoft includes an application called iexpress on Windows XP and above systems. This application allows you to combine multiple applications into one self extracting executable. The interesting thing is, if you look at the publisher information, it appears to be signed by Microsoft. These files are generally in your Allow list in whitelisting because we should all trust Microsoft right ;)
You can see an example of how to do this with Metasploit and the iexpress tool mentioned above here. It turns out that my testing with Microsoft App Locker with default rules still blocks this technique. I'm continuing my journey to see if I can figure out a way around that.
The first thing I'd like to announce is a second blog that I now have to keep up with. http://internetopenurla.blogspot.com/. On that blog we will basically be taking malware samples from the wild that we have come across or people have submitted. We will reverse engineer the malware step by step and show how we do it. This will help people learn common techniques that are used to find out what malicious software is doing and thus how to stop it. We plan to post there once a month. You can follow the updates on Twitter @inetopenurla.
So on to the regular schedule program. What did I learn today? Glad you asked.
I have been looking at ways to get around application whitelisting programs such as Bit9 or Microsoft's AppLocker. For those who may not know, application whitelisting is a technique to state that you only want to allow certain applications that you know to be good. All other applications will not run because they are not approved. Now you can approve applications in a number of ways. You can approve it by a digital signature of the publisher of the application (i.e. Microsoft), you can allow files to run based on their hash value. A hash value is a mathematical computation of the code so even if the name changes or if someone renames other files to it, they are still seen as different. You can also allow applications based on where they are installed on your system (i.e. C:\Program Files or C:\Windows\System32).
So I have been trying to see how I can get around this. It turns out that Microsoft includes an application called iexpress on Windows XP and above systems. This application allows you to combine multiple applications into one self extracting executable. The interesting thing is, if you look at the publisher information, it appears to be signed by Microsoft. These files are generally in your Allow list in whitelisting because we should all trust Microsoft right ;)
You can see an example of how to do this with Metasploit and the iexpress tool mentioned above here. It turns out that my testing with Microsoft App Locker with default rules still blocks this technique. I'm continuing my journey to see if I can figure out a way around that.
Subscribe to:
Posts (Atom)
