New leaf on blogging

OK. I'm sorry it's been so long. It is harder to keep up with blogging than I thought. I think I have a new plan. I tend to take at least 15 minutes to learn something new in computers, probably more computer security than just computers, every day. What I plan to do is just post a synopsis of what I learned each day. That way I can share what I am learning and attempt to solidify the concept in my mind as well. So this will be my first.

The first thing I'd like to announce is a second blog that I now have to keep up with. http://internetopenurla.blogspot.com/. On that blog we will basically be taking malware samples from the wild that we have come across or people have submitted. We will reverse engineer the malware step by step and show how we do it. This will help people learn common techniques that are used to find out what malicious software is doing and thus how to stop it. We plan to post there once a month. You can follow the updates on Twitter @inetopenurla.

So on to the regular schedule program. What did I learn today? Glad you asked.

I have been looking at ways to get around application whitelisting programs such as Bit9 or Microsoft's AppLocker. For those who may not know, application whitelisting is a technique to state that you only want to allow certain applications that you know to be good. All other applications will not run because they are not approved. Now you can approve applications in a number of ways. You can approve it by a digital signature of the publisher of the application (i.e. Microsoft), you can allow files to run based on their hash value. A hash value is a mathematical computation of the code so even if the name changes or if someone renames other files to it, they are still seen as different. You can also allow applications based on where they are installed on your system (i.e. C:\Program Files or C:\Windows\System32).

So I have been trying to see how I can get around this. It turns out that Microsoft includes an application called iexpress on Windows XP and above systems. This application allows you to combine multiple applications into one self extracting executable. The interesting thing is, if you look at the publisher information, it appears to be signed by Microsoft. These files are generally in your Allow list in whitelisting because we should all trust Microsoft right ;)

You can see an example of how to do this with Metasploit and the iexpress tool mentioned above here. It turns out that my testing with Microsoft App Locker with default rules still blocks this technique. I'm continuing my journey to see if I can figure out a way around that.