The Natwest Phishing attack

Since I moved to UK, the number of phishing emails cluttering my inbox have dramatically increased. Some of them are pretty obvious to look and laugh upon, but this one was pretty interesting.

The email looked like below.

The interesting thing is that i WAS having problems signing in to my account since a couple of days. Nevertheless following the URL which took me to

http://gobelsburg.info/wordpress/wp-content/uploads/2007/06/www.nwolb.com/default.aspx/index.html

Looks perfectly like the Natwest online banking website here: http://www.natwest.com

The poor http://gobelsburg.info on the other hand, seems an “innocent” host of the phishing kit.

Tor Controller

Vidalia is a cross-platform controller for Tor (The Onion Router) for network anonymity, built using the Qt toolkit. It allows the user to start, stop, and view the status of Tor, monitor bandwidth usage, view, filter, and search log messages, and configure some aspects of Tor.

The most feature of Vidalia is its Tor network map, which lets the user see the geographic location of servers on the Tor network, as well as where the user’s application traffic is going.

You can even dynamically change your paths (hops) and create a new identity for each connection.

Vidalia is released under the GPL. It runs on any platform supported by Qt 4.1, including Windows, Mac OS X, and Linux or other Unix-like variants using the X11 window system.

Blogged with Flock

A talk on Open Source on Software Freedom Day

The world celebrated the Software Freedom Day on 15th September 2007. We had some 100+ countries and more than 300 groups covering the free software world in different form of activities, presentations and events. The webmasters of FAST-NU Karachi also organized an event and talk series on the day and I felt really honored and delighted when I got an invitation to speak before the undergraduates of what open source is and how it is used in the industry.

I chose the topic “Open Source in the enterprise” picking up the best open source projects I use frequently and have known to be used as solid, industry standard applications in different domains. It was a wonderful experience going back to my university and meeting with a bunch of brilliant future computer scientists.

The slides of the presentation can be found here.

Network Traffic Visualization

Rumint is a network and security visualization tool. It allows you to load packet capture files as well as perform live packet capture and visualize the results using a variety of visualization techniques. You can then filter the dataset and play back the data using a PVR interface. Version 1.92 adds the ability to directly load PCAP files.

It is the only tool on windows that looks promising in replaying traffic. The website desribes a sample ping trace between two systems and how to decode the generated visualization in detail.

Defeating anonymity by monitoring clock skew ?

A Cambridge University researcher Steven J Murdoch has a devised a novel attack on online anonymity systems in which he literally takes a computer’s temperature over the internet.

The attack uses a phenomenon called “clock skew” the tendency for the precise clocks in modern computers to drift off of the correct time at slightly different rates, which can be affected by heat.

“When a crystal is manufactured, it has a clock skew, and it’s different for each crystal (throughout its) lifetime,” he explains while discussing his work at the Chaos Communications Congress on Thursday.

Last year UCLA Ph.D. student Tadayoshi Kohno showed that clock skew can be used to identify computers on the internet, by charting the timestamps in a machine’s traffic. But the skew is a fairly weak identifier, providing at best 64 unique fingerprints. A network of a thousand computers would have 16 with an identical clock skew.

The research spawned a variety of theories on how clock skew could be used to attack anonymity online : from detecting daytime hours at a server located in an unknown country, to counting the number of hosts behind a NAT firewall. Murdoch was the first to make an attack work.

His victim is the Onion Router Network (TOR). Tor encrypts a user’s traffic, and bounces it through multiple servers, so the final destination doesn’t know where it came from.

Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he’ll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.

Because temperature affects how fast most electronics operate, warming up the machine causes microscopic changes in clock skew over time. Now the attacker queries computers on the public internet that he suspects of being the Tor server, looking for the shift in skew over the course of hours.

When he finds a computer that has guilty change in its timestamps, he has a match.

“It’s actually quite hard to defend against,” says Murdoch. “(You can) lock the timestamp, but even without explicate timestamps, it’s conceivable.”

That doesn’t mean it’s time to give up on online anonymity: Murdoch points out that other attacks on Tor are currently easier and quicker.

Ironically it might be the most extremely hardened computers that would be most vulnerable to this style of attack. Murdoch theorizes that military computers with precise time reporting should be easier than more casual networks like Tor, in the long run.

Top 10 Web Hacks of 2006

RSnake, Robert Auger, and Jeremiah of WhiteHatSecurity collected a list of the new 2006 web hacks. The term “hacks” loosely describe some of the more creative, useful, and interesting techniques/discoveries/compromises.

Top 10

1. Web Browser Intranet Hacking / Port Scanning – (with JavaScript and with HTML-only and the improved model)
2. Internet Explorer 7 “mhtml:” Redirection Information Disclosure
3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
4. Web Browser History Stealing – (with CSS, evil marketing, JS login-detection, and authenticated images)
5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′s)
6. Forging HTTP request headers with Flash
7. Exponential XSS
8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
9. Web Worms – (AdultSpace, MySpace, Xanga)
10. Hacking RSS Feeds

A more comprehensive list can be found here.

Torrified

Some time ago i wrote about internet privacy and some steps to hide your online presence. I have been an aggressive user of Tor lately running a Tor server myself. Lately i was asked by quite a many (not so technical people) to have an instance of Tor running on there systems (whatever purpose they wanted to achieve i wasnt interested) but for many even the simplest instructions for setting up Tor + Privoxy + a switch proxy plugin wont do and probably on mass install (say for e.g in a test lab network of hundred pc’s this could be a little time consuming).

Searching for some automated scripts / installers for Tor i found the TorPark Project. The project description says:

Download Torpark and put it on a USB Flash keychain. Plug it into any internet terminal whether at home, school, or public. Run Torpark.exe and it will launch a Tor circuit connection, which creates an encrypted tunnel from your computer indirectly to a Tor exit computer, allowing you to surf the internet anonymously. How much does Torpark cost? IT’S FREE.

I dont see anything more simpler at the moment.

Happy tor-ring.

Merging .NET DLLs with one another

Microsoft just released a utility (ILMerge) merge multiple .NET assemblies into a single assembly. ILMerge takes a set of input assemblies and merges them into one target assembly. The first assembly in the list of input assemblies is the primary assembly.

When the primary assembly is an executable, then the target assembly is
created as an executable with the same entry point as the primary
assembly. Also, if the primary assembly has a strong name, and a .snk
file is provided, then the target assembly is re-signed with the
specified key so that it also has a strong name.

ILMerge is packaged as a console application. But all of its
functionality is also available programmatically. Starting with Visual
Studio 2005 it is allowed to add an executable as a reference, so you
can write a C# client that uses ILMerge as a library. If you are using
Visual Studio 2003, you must use the v1.1 version of ILMerge and rename
it to be a dll in order to use it as a reference.
ILMerge installer and documentation can be found here.

Blogged with Flock

Runtime Unmanaged Code Analysis for Software and Security Testing (Part I)

One of the biggest challenges faced by programmers, architects, testers, and security consultants is to understand the consequences of their applications when deployed into production. Even with access to source code, it is difficult to understand everything that will occur during execution due to a variety of dependencies (for example. Different OS platforms, multiple patch levels, multiple groups contributing to code or leveraging external components).

The Microsoft Application Verifier is a runtime verification tool for unmanaged code that assists in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. It is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities. It makes it easier to create reliable applications and on the other hand find potential vulnerabilities by monitoring an application’s interaction with the OS, profiling its use of objects, the registry, the file system, and Win32 APIs (including heaps, handles, locks, and more). It also includes checks to predict how well the application will perform under Least-privileged User Account operation.

Application Verifier Identifies whether the applicaion:

• Is using:
Unsafe TerminateThread APIs.
Correct use of Thread Local Storage (TLS) APIs.
Correct use of virtual space manipulations (for example, VirtualAlloc, MapViewOfFile).
• Is hiding access violations using structured exception handling.
• Is attempting to use invalid handles.
• Contains memory corruptions or issues in the heap.
• Runs out of memory under low resources.
• Usage of critical sections is correctly occurring.
• Will run well in an environment with less privilege.
• Has any potential problems when the application is running as a limited user.
• Has uninitialized variables in future function calls in a thread’s context.

Tests within AppVerifier :

The tests included in the Application Verifier are to help software developers avoid common mistakes by using verification layers to validate the usage of API families:

• Basics Verification – These are the core set of tests that check for issues within heap, handles, locks, and more.
• Low Resource Simulation Verification – This test simulates an environment under low resources for example, out of memory.
• Limited User Account Predictor Verification – This test simulates an environment running as a user with a limited user account in either predictive or diagnostic mode and identifies potential problems accordingly.
• Miscellaneous Verification – This consists of two checks: Dirty Stacks and Dangerous APIs.

Getting and Installing Application Verifier:

The latest version of Microsoft Application Verifier can be downloaded from here . The installation is pretty simple and a straightforward next next.

Using the Application Verifier Tests:

The AppVerifier can be run through either the User Interface and / or automated through the command line. I will describe both these process in detail. The expectation for these scenarios is that the application does not break into debugger and all tests pass with the same pass rate as when run without AppVerifier enabled.

The Basic Tests:

1. Enable verifier for the application(s) you wish to test using:
From the command line: appverif /verify ApplicationToTest.exe or from the user interface:

Add your application by right-clicking within the Applications area and clicking Add Application. Select Basics from the Tests area and click Save.

Note:
• /verify enables the basic tests.
• If you are testing a DLL Application, AppVerifier has to be enabled for the test .exe that is exercising the DLL. You cannot debug a standalone DLL.
• Run the verification layers separately.

2. Run ALL your test exercising the application.
3. Analyze any debugger breakpoints encountered. If a break occurs, you need to understand why and fix it. (The Help contents provide details on the breaks and how to investigate them.)

Finally from the command line: appverif /n ApplicationToTest.exe or from the user interface:
Remove your application by right-clicking within the Applications area and clicking Delete Application and click the Save button.

The Low Resource Simulation and Fault Injection :

The expectation for this scenario is that the application does not break into the debugger. This means that you have no errors that need to be addressed. The pass rate for the tests may decrease significantly since random fault injections are introduced into the normal operation.

1. Enable Application Verifier low resource simulation (fault injection) for the application(s):
From the command line: Appverif /verify ApplicationToTest.exe /faults or from the user interface: Select Low Resource Simulation from the Tests area and click save.

Note: If you are testing a DLL, you can apply low resource simulation (fault injection) on a particular DLL instead of the whole process. The command line format would be:
appverif /verify TARGET [/faults [PROBABILITY [TIMEOUT [DLL …]]]]
Example: appverif /verify ApplicationToTest.exe /faults 5 1000 d3d9.dll

2. Run ALL your tests exercising the application.
3. When finished, delete all settings. Analyze any debugger break(s) encountered. If a break occurs, you will need to understand why and fix it.
4. When finished, delete all settings:

Running with and without fault injection exercises largely different code paths in an application and therefore both scenarios must be run in order to get the full benefit of AppVerifier.

Analyzing AppVerifier Data :

All data created during AppVerifier analysis is stored in the %ALLUSERSPROFILE%\AppVerifierLogs folder in a binary. These logs can then be converted to XML via the user interface or command line for further analysis. To view the XML files, use any: 1. Web Browser 2. Create an XSLT transformation to convert raw XML content 3. Import into Excel or any Database.

Some Key Points:

• AppVerifier is designed to test unmanaged applications (non-.NET Framework applications) on Microsoft (2000 and above) platforms.
• While running a full page heap, it is recommended to be at least 1 GB.
• It does not need access to the source code to execute its tests, although the availability of either the application’s symbols or debug information will make a dramatic difference in the quality and usefulness of the data collected.

How Does AppVerifier Work?

AppVerifier works by modifying the unmanaged DLLs Method Tables so that the required checks are performed before the real function is executed (“Function Hooking”). For example, the address of the Win32 API CreateFileA method is replaced with an internal AppVerifier method that will trigger a series of tests that when positive will be logged. When new processes are started, the use of AppVerifier’s Method Table Hooking techniques is controlled by entries made in specific registry keys. If the registry entry exists, then the AppVerifier DLL will be loaded in a newly created process that will handle the Method Table replacements in the existent and subsequently loaded DLLs. Since these hooks are made when the DLL is loaded, it is not possible to use AppVerifier on a process that is already running.

When a problem is identified a verifier stop will occur. The number provided is used to identify the exact nature and reason for its occurrence.

Detecting Heap Corruptions:

In order to detect heap corruptions (overflows or underflows), AppVerifier will modify the way memory is allocated by padding the requested memory with either full non-writable pages or with special tags before and after the allocated memory.

When padding the requested memory with full non-writable pages, AppVerifier will consume a large amount of virtual memory but has the advantage that heap corruption events are cached in real time when the overflow or underflow occurs. The heap check will place a guard page at the beginning or end of allocation depending on the Backward property. If Backward is set to False, which is the default, it will place a guard page at the end of the allocation to catch buffer overruns. If it is set to True, the guard page is placed at the beginning of the allocation to catch buffer underruns.

When padding the requested memory with special tags (enabled by clearing the “Full” check box item in the heap properties), AppVerifier will check and alert you when this memory is released. The main problem in using this technique is that there are some cases when the memory corruption will only be detected when the memory is released (the minimum amount of memory block is 8 bytes), so when on a 3-byte variable or a 5-byte overflow occurs it will not be immediately detected.

On an underflow event, an attempt will be made to write to a Read-Only page. This will trigger an exception. This exception is only be caught if the target application is being executed under a debugger. Note that the full page heap mode will also detect these errors as it uses padding + guard pages. The reason you would use light page heap is if your machine cannot tolerate the high memory constraints of full page heap.

For memory intensive applications, or when it is required to use AppVerifier during long periods of time (e.g. stress testing), it is better to run normal (light) heap tests instead of full mode due to the performance degradation. However, when you run into an issue turn on full page heap to investigate further.

References and Further Reading :

MSDN, Microsoft Application Verifier Help.
Function Hooking and Patching Articles: Detours
From Code Project: API hooking revealed – Process-wide API spying – an ultimate hack
The Files used for reference can be downloaded from here.

file hunting with Google

Im my last weeks blog i mentioned about google indexing binary files and some tricks for searching malware. Playing around with different queries on google i realized how large the count is for open directory browsing enabled servers. By default on apache based servers if the Option directive in directory tag is not set to none or index the webserver is completely browsable. Many free hosting services and pernonal site servers also keep it enabled by default.

I started of with searching for some not-publicly-available softwares and encouraged by the results modified the searches for some mp3′s as well.

A simple query:

intitle:”index of” +”last modified” +”parent directory” +description +size +(wma | mp3) ArtistName SongName

got me to numerous sites that hosted the songs i needed. You can also modify the file extensions to any kind of files you want and precise your search by adding more extensions in the OR list in brackets.

For more adventerous the same trick works for IIS as well :).

Blogged with Flock.