TrueCrypt now does pre-boot authentification

TrueCrypt is an open source on the fly (transparent) whole disk encryption software for Windows, Linux and MacOS that now supports pre-boot authentication on Windows. This means you can use this to replace PGPDisk or BitLocker.

It supports AES-256, Serpent and Twofish encryption, hidden volumes with two levels of plausible deniability and hidden volumes.

Hibernation File Forensics

The Sandman Project is a C library that allows you to read the Windows hibernation file like a standard memory dump.

Magic Rescue - File Carving tool

Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.

It may have problems on very fragmented filesystems.

ReviveIT (Revit) - smart data recovery tool (file carving).

Performing digital forensics or data recovery can sometimes be problematic, and you will eventually need to resort to file carvers.

Revit (Revive IT) is an advanced file carver thta uses file structure based carving, originally developed for DFRWS 2006. This means you can carve files right out of raw disk data, even in the lack of a filesystem or partition table.

It is a noteworthy tool alongside Foremost and Scalpel.

A brief look at ClamAV security - Open Source Antivirus

A brief (over)look at ClamAV security and performance. Comparing Open Source Antivirus products with commercial products.

I've been looking into signature based open source security products lately, namely Antivirus software (for SMTP E-Mail gateways or File Servers or anything that would be used as a distribution point for example as well as for Desktop systems).

I've had a pretty good look at ClamAV and other ClamAV based products (ClamWin or Spyware Terminator which include the ClamAV Engine) and found them rather weak, both from a security point of view (vulnerabilities) and in terms of detection rates, as well as performance (speed) and usability (interface, features, etc).

Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX (also ported to Windows, and used by GUI products such as ClamWin) designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.


I. Security track record - a look at common vulnerabilities

So let's take a look at ClamAV's security track record. A simple look on Secunia at the vulnerability summary reveals a stunning 25 security advisories (1 unpattched), 31 % of which lead to System Access and 91 % are exploitable from remote. 40 % of vulnerabilities are "Highly Critical". I realize that some of these are in 3rd party plugins and compression tools and such, but when an attacker just sends a specially crafted archive via E-mail or whatever means, and manages to buffer overflow and gain system access when ClamAV scans it, that's when you need to look at other products. There are ways to mitigate it, with permissions, limited users, chroots, jails and such, but still...




So let's compare that with another security product, Avira Antivir, basically multi-platform Antivirus software (also has a free version for non-commercial usage). We can see only 2 security vulnerabilities reported, both local and privilege escalation (Windows only too).



Vulnerabilities range from Denial of Service: "A NULL-pointer dereference error exists within the "cli_scanrtf()" function in libclamav/rtf.c. This can potentially be exploited to crash ClamAV via a specially crafted RTF file." to Buffer Overflow and System Access: "An integer overflow error in rebuildpe.c when rebuilding PE files after unpacking can be exploited to cause a heap-based buffer overflow via a specially crafted executable. Successful exploitation of this vulnerability may allow execution of arbitrary code."


II. Vulnerability assessment tools - Static Code Analsys

What about a source code audit of ClamAV? Well, I don't really have the time for that, but I did parse it through Flawfinder, RATS and other Static Code Analysis tools looking for simple lexical "bad practices" and functions (strings functions for example) that may overflow buffers and so on.

So, I download the source code for the latest stable release: ClamAV 0.91.2 (signature) and stumble across a ton of bad programming practices. While most of the time, they mean nothing (as they aren't really vulnerabilities or even exploitable, they are usually where most errors occur, and, as such, should be avoided). We basically have hundreds of such occurrences (537 marked as High and 83 marked as Medium by RATS), so I'm just going to paste a few interesting examples here:

..\clamav-0.91.2/clamav-milter/clamav-milter.c:266: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:859: High: getopt_long
Truncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/shared/getopt.c:961: High: fprintf
Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/sigtool/vba.c:1127: High: sprintf
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1205: High: popen
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1404: High: getenv
Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length.

..\clamav-0.91.2/shared/output.c:159: High: umask
umask() can easily be used to create files with unsafe priviledges. It should be set to restrictive values.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1585: High: gethostbyname
DNS results can easily be forged by an attacker (or arbitrarily set to large values, etc), and should not be trusted.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1703: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.


..\clamav-0.91.2/shared/misc.c:132: High: printf
Check to be sure that the non-constant format string passed as argument 1 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/shared/output.c:235: High: syslog
Truncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/freshclam/manager.c:1307: High: system
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

..\clamav-0.91.2/sigtool/sigtool.c:815: High: strcat
Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/libclamav/hashtab.c:408: High: sscanf
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/shared/options.c:194: High: strncat
Consider using strlcat() instead.

..\clamav-0.91.2/shared/options.c:194: High: strncat
Check to be sure that argument 1 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/shared/getopt.c:983: High: getopt
Truncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/shared/output.c:212: High: vfprintf
Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/sigtool/sigtool.c:609: High: scanf
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/test/pe/debugpe.c:165: Medium: signal
When setting signal handlers, do not use the same function to handle multiple signals. There exists the possibility a race condition will result if 2 or more different signals are sent to the process at nearly the same time. Also, when writing signal handlers, it is best to do as little as possible in them. The best strategy is to use the signal handler to set a flag, that another part of the program tests and performs the appropriate action(s) when it is set.
See also: http://razor.bindview.com/publish/papers/signals.txt

..\clamav-0.91.2/libclamav/mbox.c:4659: Medium: getc
Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/sigtool/sigtool.c:172: Medium: read
Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:4260: Medium: stat
A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 4269 (open)

..\clamav-0.91.2/sigtool/vba.c:1063: Medium: realloc
Don't use on memory intended to be secure, because the old structure will not be zeroed out.

..\clamav-0.91.2/libclamav/lockdb.c:246: Medium: SetSecurityDescriptorDacl
If the third argument, pDacl, is NULL there is no protection from attack. As an example, an attacker could set a Deny All to Everyone ACE on such an object.

..\clamav-0.91.2/libclamav/msexpand.c:130: Medium: fgetc
Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/libclamav/others.c:433: Medium: srand
Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.

..\clamav-0.91.2/libclamav/others.c:697: Medium: lstat
A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is
the first line where a check has occured.
The following line(s) contain uses that may match up with this check:
699 (rmdir), 715 (unlink)

..\clamav-0.91.2/contrib/Windows/Projects/clamAV/libclamav/regex.c:70: Medium: realloc
Don't use on memory intended to be secure, because the old structure will not be zeroed out.


You should keep in mind that ClamAV also relies on 3rd party libraries and tools, and it's security also depends on those. Again, I remind you that these aren't actual vulnerabilities, just bad practices that MAY lead to such vulnerabilities. You would need to look at the code and employ various testing tools to find them.

The authors of ClamAV should really solve these problems like OpenBSD developers do, even if it is something as simple as replacing strncat() with strlcat() - functions designed to be safer, more consistent, and less error-prone (this would be an issue on other platforms though, so it's not as simple as that).


III. Detection rates
So, here are some tests made by various research projects:

AV-Test is an anti-virus research project at the Institute of Technical and Business Information Systems at the Otto-von-Guericke University Magdeburg (Germany).

They measured the detection times for six of the malware programs released last week utilizing the MS05-039 Plug and Play vulnerability under 36 different anti-virus products. Eleven of the products were able to detect one or more of the attacks proactively, without any special pattern update to identify it specifically. Here are the numbers for each of the eleven:

Product Score
BitDefender 6 of 6 Fortinet 6 of 6 Nod32 5 of 6 eSafe 3 of 6 F-Prot 3 of 6 Panda 3 of 6 QuickHeal 3 of 6 McAfee 2 of 6 Norman 2 of 6 AntiVir 1 of 6 ClamAV 1 of 6

AV Comparatives did a test on various other Antivirus products not in their current testing process, including the ClamAV based ClamWin. Here are the results:
http://www.av-comparatives.org/seiten/ergebnisse/2ndgrouptest.pdf

This test also places ClamAV among the last in terms of detection rates:
http://www.sunbelt-software.com/ihs/alex/malwarereportjun3007.pdf

ClamAV also scores a 17 % (sig: 99% / heur: 1%) in retrospective Antivirus Performance Statistics, which also placed it among the last.

At VirusPool Tested Products ClamAV scores:

Number of descriptions in the database: 31928 out of 45159 live samples ( 70.7 %)
Number of 'in the wild' descriptions in the database: 25 out of 30 live samples ( 83.3 %)
(not very good, but not all that bad)

IV. Signature Updates:

How often is the clamav-virusdb updates? According to the FAQ, multiple times a week, and the response should be rather prompt. Anyway, to get an idea on that, take a look at http://lurker.clamav.net/list/clamav-virusdb.html

Conclusion:

I definitely need to investigate this further, but so far I find ClamAV to be highly overrated, simply based on the fact it is "part of the open source movement". It lacks a real time scanner (that's fair seeing how it was designed for mail gateways though), it has a horrible security track record, poor detection rates and dreadful performance. I somewhat doubt that it would last long as a commercial product. Still, it is available on multiple platforms, and the cost is just about right :-).

Things aren't all bad though (and I may have been to rash and only brushed the surface here). ClamAV is a free product (open source even), and it does leave a lot of room an opportunity to evolve. I just don't see this happening without powerful commercial backing. If you plan on using it though, make sure you've got at least another product scanning your emails :-).

Other links:
http://www.av-comparatives.org/
http://www.virustotal.com/

Unlocking MacOS FileVault Whitepapers, Video and Audio

FileVault is an encryption system found in Apple's Mac OS X v10.3 and later. It has quite a history of being vulnerable to watermarking attacks, not encrypting the swap file by default (although that option has been added later) so that the keys could be carved out of the page file, etc...

A few resources on FileVault (AKA VileFault) shortcomings:

• Unlocking FileVault Talk at 23c3 (video)
• Unlocking FileVault Talk at 23c3 (audio)
• Unlocking FileVault Whitepaper
• An Unencrypted Look at FileVault

Recovering data from the EXT2 Filesystem

EXT2 Undelete: A pretty good tutorial for recovering data from ext2 filesystems:

http://fedora.linuxsir.org/doc/ext2undelete/Ext2fs-Undeletion.html

See also:

• Filesystem tools: Data Recovery and Data Carving (you can use Foremost, Scalpel or FTimes to carve out a LOT of data from a drive).
• The Second Extended File System - Internal Layout
  

A few more tools to unerase files

A few free tools to restore deleted files:

• Undelete Plus works under Win 95/98/Me/NT/2000/XP/2003/Vista operating systems. The program supports all Windows file systems for hard and floppy drives including FAT12/16/32,NTFS/NTFS5 and image recovery from CompactFlash, SmartMedia, MultiMedia and Secure Digital cards.
• Recuva (pronounced "recover") is a freeware Windows utility to restore files that have been accidentally deleted from your computer.
• Restoration - free undelete tool for Windows.
• NTFS Undelete - free undelete tool for Windows.
• R-LINUX is a free file recovery utility for the Ext2FS partitions used in the Linux OS and several Unix. Host OS: Win9x/ME/NT/2000/XP/2003. Recovered data can be written to any disk visible by the host OS. R-Linux also can create DISK IMAGES that can be later processed by more powerful R-Studio. more about Data Recovery for Linux
• Ultimate Data Recovery - data recovery tool.
  
  

Phishing for secrets

Number one reason to train your staff, deploy Intrusion Detection System, Proxy Filtering, SPAM Filtering, Antivirus, Firewall and phishing filters on your networks:

Oak Ridge National Laboratory and Los Alamos National Laboratories ("Los Alamos National Laboratory helps to ensure the safety of the nuclear weapons stockpile and reduce the threat of terrorist attacks on our homeland." [SIC]) breached via phishing attacks, unclassified material stolen.

Exploit development frameworks and platforms - Metasploit, MSF-XB

Metasploit:

The Metasploit Project is an open source computer security project aids penetration testing activities and IDS signature development and provides information on security vulnerabilities.



Components:

• The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language (rewritten from Perl) and includes components written in C and ASM. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.
• The Shellcode Archive contains various payloads written by the Metasploit staff. Has Windows Shellcode Development Kit.
• The Opcode Database contains the position of certain machine language opcodes in the attacked program or included DLLs
  

MSF-eXploit Builder

• MSF-eXploit Builder (MSF-XB) is free Windows GUI and Exploit Development PlatformMetasploit Framework exploit modules. It will help you to edit/modify/create/test exploit modules for the Metasploit Framework. It also contains an assortment of Fuzzers (TAOF, ProxyFuzz, FileFuzz, WinFuzz) and various other tools (Branchseeker, Faultmon, mycrc, nc, Findjmp2 and even pstools). It requires an installed Metasploit framework and a debugger (try Immunity Debugger).

SecurityForest Exploitation Framework:

• SecurityForest's Exploitation Framework is similar in concept to Metasploit, and is written in Perl. The major difference is that it leverages the massive amount of exploits available in the ExploitTree. These exploits are publically available and do not have to be re-written to be used in the framework (no matter what language and sometimes no matter what OS). It basically acts as a Graphical User Interface to the ExploitTree which is dynamically updated at the same time as the ExploitTree.

E-mail exploitation frameworks:

• PIRANA is an exploitation framework that tests the security of a E-mail content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the shellcode generator from the Metasploit framework!

Browser Exploitation Framework:

• BeEF is the browser exploitation framework used to demonstrate the real-time impact of XSS browser vulnerabilities. Download here.
• Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Network Vulnerability Scanners

• Nessus is a comprehensive vulnerability scanning program. Its goal is to detect potential or confirmed weaknesses on the tested machines.
• FwTest is a firewall testing tool.

Online vulnerability databases:

• Secunia provides security advisories and information about patches, and provides software for vulnerability management.
• Milw0rm is an exploit database separated by exploit type.
  

Immunity Debugger - an exploit development debugger

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. It is similar to OllyDbg in functionality and interface.

Immunity Debugger is said to cut exploit development times in half and has a powerful scripting language and connectivity to fuzzers and exploit development tools.

Advanced malware analysis and forensics using virtualization and free tools

Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm".

Tools of the trade:

• Virtualization
• VirtualBox - it's free, open source and multi-platform (Windows, Linux).
• VMware Server (Linux, Windows), free
  
• qemu - available on multiple platforms (Windows, Linux, BSD, UNIX), free, open source
  
• Microsoft VirtualServer / VirtualPC
  
• File analysis
• File Analyzer
• PE Explorer
• PEiD detects most common packers, cryptors and PE compilers (over 470 signatures).
  
• Debuggers, disassemblers
  
• OllyDBG
• Ida Pro Freeware
• Immunity Debugger
  
• Hex Editors
• WinHEX
• HackMan
  
• File Alteration Monitors
• Sysinternals ProcMon, FileMon, RegMon, Process Explorer
  
• Network Monitors
• Wireshark (aka Ethereal)
• Windows Network Monitor
  
• Rootkit revealers, startup listers
• Sysinternals Autoruns, RootkitRevealer
  
• HiJack This
• Tools
• GnuWin32 Tools like file(1)
• UPX - a file packer / unpacker.
• Antivirus
• Virustotal - Analyzes uploaded files using over 33 Anti-Virus engines.
• Virus.org - Scans uploaded files with over 20 Anti-Virus engines (some differ from virustotal). It's interesting to see how many Antivirus products fail to spot a virus.
  
• Viruslist - Information about Viruses
• VirusPool - Malware Research Database
• Documentation
• PECOFF - Microsoft Portable Executable and Common Object File Format Specification
  

Initial configuration of the workbench:

We're going to setup VirtualBox (or any other virtualization product) with a copy of Windows XP SP2, update it and take a snapshot so we can easily move back to a clean system.

• Use VirtualBox to install WindowsXP SP2 in a Virtual Machine.

• Take a snapshot of the Virtual Machine - Initial Install.

• Install VirtualBox Guest Additions

• Install Microsoft Update and update the system.
• Create an ISO image of your tools, and mount it inside the Virtual Machine.
• Take another snapshot of the Virtual machine - Updated and configured.
• Add your tools to PATH to speed things UP.

Analyze the malware:

• Use Process Explorer, Sysinternals Autoruns, RootKitRevealer, HiJackThis and so on to find running processes and targets for analysis, then put them in the virtual machine "sandbox". Also, make sure you check the Digital Signature for files you may suspect of being malware (Right Click - Properties - Digital Signatures). A good way of revealing malware is looking for suspicious entries in Sysinternals Autoruns (just hide signed Microsoft Entries, then look for Unsigned or Fake signature entries). Remember though, malware can also be digitally self-signed.

• The Target: "New Folder.exe" - self described as "Worm2007" by "IT University".

• Determine file type using "magic": file "New Folder.exe", PeID and File Analyzer to get headers info.
  

• Use "strings" to parse the file for Unicode and ASCII strings: strings -n 8 "New Folder.exe"
  

• Use "head " to see the first few lines of the file: head -5 "New Folder.exe" - We can already see this file is packed using UPX. upx -l "New Folder.exe" confirms this.

• Uncompress the file: upx -d "New Folder.exe"

• Parse the file again with "file" and "strings" - this time we can see a lot more information.

• Use PE Explorer and "File Analyzer" to get even more information about PE Headers, dependencies and so on.

• Fire up OllyDbg, IDA Pro Freeware, Immunity Debugger, WinDBG or your favourite debugger / disassembler and analyze the file.

• Start Sysinternals ProcExp (Process Explorer - taskman on steroids), ProcMon (filemon and regmon combined), handle (check file handles) and TCPView and Wireshark (aka Ethereal) or MS Network Monitor, and run the piece of malware! We're going to see exactly what files and registry items it tries to change, what network connections it opens and what kind of network traffic it generates. We can also use "netstat -abn" to list network connections. We can later just restore the VirtualBox snapshot to get back to an untainted system.

• We restart the machine to allow the malware to apply it's group policies and registry changes / autoruns properly :-). We can see the effect of the applied group policies (disables regedit and taskman, but forgets about gpedit.msc and tasklist for example).

• We use Sysinternals Autoruns, RootKit Revealer and HiJack this to see how this piece of malware starts. With Sysinternals Autoruns we simply hide signed microsoft entries, and we can see 3rd party products, such as our piece of badware, hiding in lsass or svchost or ymessenger named entries.

• We use HiJack This to list changes to our system like disabling regedit, starting a really strange "svchost32.exe" that shouldn't be there and making the IE default webpage "thec**lpics.com" -> don't access it, it's the Malware's homepage…
  

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svchost32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

To remove the malware, you just need to reverse all the chances it has performed to the registry and filesystem. Once you've written down the location of the files from ProcMon and the running binaries from ProcExp, you can start by stopping the virus:

You can stop the Virus processes easily with Process Explorer, or you could just use "taskkill":

taskkill /F /IM svchost32.exe /T

You could also disable it from running at startup by removing it using Sysinternals Autoruns.

Once you've identified all the processes and what executables they were running from, just use WinDiff, EasyDuplicateFinder or something similar to find all identical binaries, and remove them.

You can the use "Fixed Checked" in HiJack this, and "reg add" or "reg delete", a .reg file or gpedit.msc to manually enable the Registry Editor or other disabled features in Windows. You could also use an offline Registry Editor. Example:

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v "DisableTaskMgr"
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools"
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools"
reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Window Title" /d ""
reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.msn.com"

To restore the missing files the malware removed (like msconfig.exe) just pop in the Windows cd, and use "expand" to uncompress and restore them: EXPAND -R D:\I386\MSCONFIG.EX_ c:\Windows\System32. Windows may also keep some copies of msconfig.exe around, but they may or may not be safe. Check the digital signature.

Building FTimes on Windows using Visual Studio

FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.

On systems like FreeBSD you can use ports to build FTimes, but on Windows you'll need to build it yourself.

Building FTimes on Windows is quite a complex tasks, and requires building OpenSSL and PCRE first (if you want SSL / PCRE / XMagic support). Make sure you read the INSTALL file in the FTimes distribution. You'll need the following tools:

• Microsoft Visual Studio (or Visual Studio Express)
• ActiveState Perl
• OpenSSL - download the source code and the headers (unzip devel headers to C:\OpenSSL)
  
• PCRE libraries - unzip to C:\PCRE (you can skip this step and USE_PCRE=N)
  

Step 1: Build OpenSSL libraries:

1. Unzip the source code (to say c:\build\openssl)
2. Fire up CMD Shell (SetEnv.cmd from VisualStudio) and change to that dir (cd c:\build\openssl)
   
3. perl Configure VC-WIN32
   
4. MS\do_ms
5. Edit ms\nt.mak and change /MD to /MT
6. nmake -f ms\nt.mak (to build a static version - creates the *.lib files)
7. Copy libeay32.lib and ssleay32.lib to C:\openssl\lib

Step 2: Build FTimes:

1. nmake -f Makefile.vs USE_PCRE=N
2. nmake -f Makefile.vs test
3. nmake -f Makefile.vs install INSTALL_DIR="C:\Program Files\FTimes"
4. Use ftimes: C:\Program Files\FTimes\bin\ftimes.exe

C:\Program Files\FTimes\bin>ftimes

Usage: ftimes --cfgtest file mode [-s]
ftimes --compare mask baseline snapshot [-l level]
ftimes --decoder snapshot [-l level]
ftimes --digauto file [-l level] [list]
ftimes --digfull file [-l level] [list]
ftimes --diglean file [-l level] [list]
ftimes --getmode file [-l level]
ftimes --mapauto mask [-l level] [list]
ftimes --mapfull file [-l level] [list]
ftimes --maplean file [-l level] [list]
ftimes --version


C:\Program Files\FTimes\bin>ftimes --version
ftimes 3.8.0 ssl 32-bit

Malware and rootkit detection with Strider, RootKitRevealer and Rootkit Hunter

Removing nasty rootkits or spyware protected by "Hacker defender" and friends:

Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism.

It is similar to Mark Russinovich's RootkitRevealer from Sysinternals. Another interesting tool is Sophos Anti-Rootkit.

Also worth taking a look at LiveKd - run Kd and WinDBG kernel debuggers on a live system.

For a Linux/BSD/UNIX tool, take a look at Rootkit Hunter.

Cracking Cisco type 7 and type 5 PIX passwords with Cain and Abel

Number one reason you shouldn't paste your Cisco configs or password hashes on the Internet:

Cisco's PIX password encryption is a base64 encoded MD5 hashsum, using only one MD5 update (no salting or anything). This also permits for cryptanalysis attacks using rainbow tables to speed up the process.

Simple hashes like:

enable password RLPMUQ26KL4blgFN encrypted

Get cracked instantly. -> 1234


Also, note that MD5 has know weaknesses in the algorithm, that may allow for more complex password cracking attacks.

Also, if you're using a "type 7" password, that's pretty much useless, since it can get cracked instantly. People can just use simple tools such as Cain and Abel, or Solarwinds Router Password Decryption to reverse the crypto on type 7 passwords.

someuser privilege 0 password 7 06351A3149085123301517391C501918

IOS type 5 passwords (MD5 using 1000 rounds) is more complex, and harder to crack, but yous still shouldn't paste your hashes for everyone to see... Remember, even with type 5 passwords, you're still vulnerable to dictionary attacks, hybrid attacks, rainbow table attacks (PIX only), md5 repository attacks, or plain old password guessing.

If you're going to paste your config files anywhere, use the "show tech-support" command available in newer IOS versions. It gives more info, and strips confidential information, password hashes and such.


You can even use decrypt.pl - a neat little Perl script to instantly decrypt type 7 passwords:

#!/usr/bin/perl -w
# $Id: ios7decrypt.pl,v 1.1 1998/01/11 21:31:12 mesrik Exp $
#
# Credits for orginal code and description hobbit@avian.org,
# SPHiXe, .mudge et al. and for John Bashinski
# for Cisco IOS password encryption facts.
#
# Use for any malice or illegal purposes strictly prohibited!
#

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );

}

while (<>) {
if (/(password|md5)\s+7\s+([\da-f]+)/io) {
if (!(length($2) & 1)) {
$ep = $2; $dp = "";
($s, $e) = ($2 =~ /^(..)(.+)/o);
for ($i = 0; $i < length($e); $i+=2) {
$dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];
}
s/7\s+$ep/$dp/;
}
}
print;
}

Covert Channels: NTFS Alternate Data Streams

Alternate Data Streams (ADS) are a NTFS feature introduced in the Windows NT Operating System to provide compatibility with Macintosh Hierarchical File System (HFS) - that uses both data forks and resource forks to store content. Data forks are used for storing the document content, while the resource fork is used to identify the file type and store application metadata (icons, fonts, etc), hardlinks, encryption.

Alternate Data Streams provide additional descriptions for files or folder such as author, thumbnail preview, keywords and such, and can be used to attach an independent named data streams to a file or folder stored on a NTFS filesystem.

ADS are very poorly documented, and Windows comes with no default tools to spot such streams (previous to Vista/2008 "dir /r"), hence their popularity as a covert channel.

Using a NTFS Alternate Data Stream using pipes and "more":

c:\streams>copy con foo.txt
This is the data stream.
^Z
1 file(s) copied.

c:\streams>type foo.txt
This is the data stream.

c:\streams>echo "This is the Alternate Data Stream" > foo.txt:bar.txt

c:\streams>type foo.txt
This is the data stream.

Only a handfull of applications are ADS aware. "TYPE" is not, as we can see:

c:\streams>type foo.txt:bar.txt
The filename, directory name, or volume label syntax is incorrect.

But more is ADS aware:

more < style="font-weight: bold;">covert channel.

c:\streams>dir
11/26/2007 10:36 AM 0 baz.txt
11/26/2007 10:21 AM 26 foo.txt

c:\streams>type c:\Windows\winhelp.exe > baz.txt:winhelp.exe

c:\streams>dir
11/26/2007 10:48 AM 0 baz.txt
11/26/2007 10:21 AM 26 foo.txt
2 File(s) 26 bytes
2 Dir(s) 5,525,233,664 bytes free



So, how do we spot such covert channels? We can use the systernals "streams" command. Using the -s flag, it will recurse through subdirectories and identify Alternate Data Streams (we can also use -d to delete them). Since Windows doesn't come by default with ANY tool to identify such ADS, and this NTFS feature is very poorly documented, it's hard to spot them without actually knowing they're there.

c:\streams>streams -s c:\streams

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\streams\baz.txt:
:winhelp.exe:$DATA 256192
c:\streams\foo.txt:
:bar.txt:$DATA 38


In some versions of windows, we can also execute an alternate data stream executable using the "start" command, and the executable will show up in the tasklist / taskmanager as the regular stream. That way, malware can hide in regular Windows programs such as notepad.exe


In Windows Vista Microsoft has added the "/r" flag to "dir" so we can easily spot ADS:

c:\streams>dir /r
11/26/2007 10:48 AM 0 baz.txt
256,192 baz.txt:winhelp.exe:$DATA
11/26/2007 10:21 AM 26 foo.txt
38 foo.txt:bar.txt:$DATA


We can also create and use ADS in our applications, using such code:

hStream = CreateFile( "datafile:alternatestream", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, 0,NULL );

Here's something fun: Using an alternate data stream with a folder (say the C:\Windows directory to write our "memories" ):







Note: Other filesystems such as Apple HFS, Solaris UFS (extended attributes), Solaris ZFS, Veritas VxFS and Novell NWFS also support filesystem forks, that pose a risk to the system (tools may not always be aware of forks, backup applictions can ignore them and data loss may occur and, of course, they can be used as covert channels).


Note: MOW (ThePowerShellGuy) has a great article on accessing Alternate Data Streams from PowerShell:

PowerShell : Accessing alternative data-streams of files on an NTFS volume

Exploiting md5 and other hashing functions collisions for fun and profit

The crytographic hash function MD5 has been broken. In March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published an article in which they describe an algorithm that can find two different sequences of 128 bytes with the same MD5 hash.

More links can also be found on Wikipedia's MD5 page.

SHA-0 has also been broken and The security of SHA-1 has been somewhat compromised by cryptography researchers. Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force. There was also an attack reported in RIPEMD.

Practical applications of md5 collisions:

• Magnus Daum and Stefan Lucks have created two PostScript files with identical MD5 hash, of which one is a letter of recommendation, and the other is a security clearance.
• Eduardo Diaz has described a scheme by which two programs could be packed into two archives with identical MD5 hash. A special "extractor" program turn one archive into a "good" program and the other into an "evil" one.
• Here's a pair of valid X.509 certificates that have identical signatures. The hash function used is MD5.
• Here's a paper demonstrating a technique for finding MD5 collisions quickly: eight hours on 1.6 GHz computer.
• Hashclash - Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5
• The Status of MD5 after a recent attack (1996 whitepaper)
  

The following is an improvement of Diaz's example, which does not need a special extractor. Here are two pairs of executable programs (one pair runs on Windows, one pair on Linux).

• Windows version:
  • hello.exe. MD5 Sum: cdc47d670159eef60916ca03a9d4a007
  • erase.exe. MD5 Sum: cdc47d670159eef60916ca03a9d4a007
• Linux version (i386):
  • hello. MD5 Sum: da5c61e1edc0f18337e46418e48c1290
  • erase. MD5 Sum: da5c61e1edc0f18337e46418e48c1290

What does this mean? You should use at least 2 hashing algorithms (RIPEMD-160, Tiger, WHIRLPOOL, SHA-256, SHA-512), as the chances of finding the same collisions in more than 1 hashing algorithm are practically 0.

Blue Pill - Malware Virtualization

Blue Pill is a prototype malware that uses the virtualization capabilities of AMD processors (AMD-V extensions, previously know as Pacifica) to inject a rootkit in a running Vista operating system to create a lite hypervisor that takes complete control of the underlying operating system.

According to Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC, the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable". While this statement was proven false, it's still a fun toy to play with, especially since the source code is available.

Sandboxie - a transient storage area jail

Sandboxie provides a transient storage area (a sandbox) where data flows in both directions between programs and the sandbox and read operation data may flow from the hard disk into the sandbox, but data never flows back from the sandbox into the hard disk. In other words, programs in the sandbox can NEVER modify your system.


That means you can run malicious programs or test software without any issue: when you're done, just empty the sandbox. It also means you can browse the web safer with Internet Explorer or Firefox or whatever. Compromised programs cannot interact with your system. And best of all, Sandboxie is free :-).



You can also use it sort of like filemon/regmon (procmon) to monitor file changes / registry changes:

Security Pro Admits to Hijacking PCs for Profit

Security consultants ran botnets on their client machines."

"A computer security consultant accused of installing malicious software to create an army of up to 250,000 "zombie" computers so he could steal identities and access bank accounts will plead guilty to four federal charges."

"According to an FBI informant who asked not to be named, Schiefer was a member of Defonic, a hacker group that included the individuals identified in the paragraph above as Zach "Majy" Mann, as well as "0x80". Another member of Defonic --- Cameron "cam0" LaCroix -- earned his reputation after breaking into Paris Hilton's cell phone account and later leading the group in breaching data giant LexisNexis, a stunt in which cam0 and several others pulled sensitive records on more than 310,000 people, including a number of Hollywood celebrities."

So much for trusted 3rd parties.