I was recently pointed towards www.reportspammers.net, which is a good resource for all things spam related and is steadily increased the quantity and quality of the information available. As much as I like the statistics that can be gathered from honeypot systems, live and real stats are even better and the data utilised by Report Spammers is taken from the email clusters run by Email Cloud.

One of the first resources released was the global map showing active spam sources (static image below), it is updated hourly and the fully interactive version can be found here.

Where are spammers global map

In addition to the global map, Report Spammers also lists the most recent spamvertised sites seen on it’s mail clusters. I’m undecided with the ‘name and shame’ methodoly due to the risk of false postives, but if your looking for examples of spamvertised sites it will prove a good resource (and one I intend to delve deeper into next time I’m bored). Just beware, sites that actively advertise via spam are rarely places that you want to point you home browser at, you have been warned.

If you are wanting a resource to explain spam and the business model behind it Report Spammers could be a good starting point. It even has the ability to explain spam to non-infosec types that still think spam comes in tins. Keep this in mind next time you need to run another information security awareness campaign.

– Andrew Waite

Since reading Virtual Honeypots I’ve been wanting to implement a HoneyD system, developed by Niels Provos. From it’s own site, HoneyD is:

a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

My initial experience getting HoneyD running was frustration to say the least. Going with Debian to provide a stable OS, the install process should have been as simple as apt-get install honeyd. While keeping upto date with a Debian system can sometimes be difficult, the honeyd package is as current as it gets with version 1.5c.

For reasons that I can’t explain, this didn’t work first (or second) time so I reverted to compiling from source. The process could have been worse, only real stumbling block I hit was a naming clash within Debian’s package names. HoneyD requires the ‘dumb network’ package libdnet, but if you apt-get install libdnet you get Debian’s DECnet libraries. On Debian and deriviates you need libdumbnet1.

HoneyD’s configuration has the ability to get very complex depending on what you are looking to achieve. Thankfully a sample configuration is provided that includes examples of some of the most common configuration directives. Once you’ve got a config sorted (the sample works perfectly for testing), starting the honeyd is simple: honeyd -f /path/to/config-file. There are plenty of other runtime options available, but I haven’t had time to fully experiment with all of them; check the honeyd man pages for more information.

As well as emulating hosts and network topologies, HoneyD can be configured to run what it terms ’subsystems’. Basically this are scripts that can be used to provide additional functionality on the emulated systems for an attacker/user to interact with. Some basic (and not so basic) subsystems are included with HoneyD. Some additional service emulation scripts that have been contributed to the HoneyD project can be found here. As part of the configuration, HoneyD can also pass specified IP/Ports through to live systems, either more indepth/specialised honeypot system or a full ‘real’ system to combine low and high interaction honeypot.

I’m still bearly scratching the surface of what HoneyD is capable of, and haven’t yet transfered my system to a live network to generate any statistics, but from my reading, research and experimentation I have high expectations.

– Andrew Waite

The new auto tint squeegee handle has finally come out.  Auto tinters can get great leverage with the Fusion 5” to get the water out during the first pass.  Less strokes needed & better results.

Fusion 8 squeegee handle and orange fusion squeegee was also introduced which is an excellent tool for architectural installation, commercial and flat glass window film installations.  Buy the right tools and get better results in faster installation times.  Solar Control Films offers all the tinting tools that a tinter would need to buy.

I’ve recently been involved in a couple of discussions for different ways for identifying malware. One of the possibilities that has been brought up a couple of times is fuzzy hashing, intended to locate files based on similarities to known files. I must admit that I don’t fully understand the maths and logic behind creating fuzzy hash signatures or comparing them. If you’re curious Dustin Hurlbut has released a paper on the subject, Hurlbut’s abstract does a better job of explaining the general idea behind fuzzy hashing.

Fuzzy hashing allows the discovery of potentially incriminating documents that may not be located using traditional hashing methods. The use of the fuzzy hash is much like the fuzzy logic search; it is looking for documents that are similar but not exactly the same, called homologous files. Homologous files have identical strings of binary data; however they are not exact duplicates. An example would be two identical word processor documents, with a new paragraph added in the middle of one. To locate homologous files, they must be hashed traditionally in segments to identify the strings of identical data.

I have previously experimented with a tool called ssdeep, which implements the theory behind fuzzy hashing. To use ssdeep to find files similar to known malicious files you can run ssdeep against the known samples to generate a signature hash, then run ssdeep against the files you are searching, comparing with the previously generated sample.

One scenarios I’ve used ssdeep for in the past is to try and group malware samples collected by malware honeypot systems based on functionality. In my attempts I haven’t found this to be a promising line of research, as different malware can typically have the same and similar functionality most of the samples showed a high level of comparison whether actually related or not.

Another scenario that I had developed was running ssdeep against a clean WinXP install with a malicious binary. In the tests I had run I haven’t found this to be a useful process, given the disk capacity available to modern systems running ssdeep against a large HDD can be a time consuming process. It can also generate a good number of false positives when run against the OS.

After recently reading Leon van der Eijk’s post on malware carving I have been mulling a method for combining techniques to improve fuzzy hashing’s ability to identify malicious files, while reducing the number of false positives and workload required for an investigator. The theory was that, while any unexpected files on a system are not desirable, if they aren’t running in memory then they are less threatening than those that are active.

To test the theory I infected an XP SP2 victim with a sample of Blaster that had been harvested by my Dionaea honeypot and dumped the RAM following Leon’s methodology. Once the image was dissected by foremost I ran ssdeep against extracted resources. Ssdeep successfully identified the malicious files with a 100% comparison to the maliciuos sample. So far so good.

With my previous experience with ssdeep I ran a control test, repeating the procedure against the dumped memory of a completely clean install. Unsurprisingly the comparison did not find a similar 100% match, however it did falsely flag several files and artifacts with a 90%+ comparison so there is still a significant risk of false positives.

From the process I have learnt a fair deal (reading and understanding Leon’s methodolgy was no comparison to putting it into practice) but don’t intend to utilise the methods and techniques attempted in real-world scenarios any time soon. Similar, and likely faster, results can be achieved by following Leon’s process completely and running the files carved by Foremost against an anti-virus scan.

Being able to test scenarios similar to this was the main reason for me to build up the my test and development lab which I have described previously. In particular, if I had run the investigation on physical hardware I would likely not have rebuilt the environment for the control test with a clean system, losing the additional data for comparison, virtualisation snap shots made re-running the scenario trivial.

–Andrew Waite

P.S. Big thanks to Leon for writing up the memory capture and carving process used as a foundation for testing this scenario.

In questa pagina del sito di Apple è disponibile il kit di sviluppo di applicazioni iTunes Lps e Extras. Tutto condito da tutor, guide ecc..

Come sruttarlo in un modello di business? Ne parlano su AppleInsider

“Apple’s new iTunes formats signal an intention to create an entirely new business of selling interactive content, in addition to the music, TV and movie, and iPhone mobile software that the company has incrementally built into a series of online market empires. Rather than just being a way to enhance album and movie sales, Apple’s recent talks with newspaper and magazine publishers indicate that the interactive iTunes formats are really designed to allow traditional print publishers to enter the digital age with a business model that is more substantial than the web’s current adware/spyware model, where users’s preferences are tracked with cookies and relevant ads are shown in an effort to monetize content.

The free web, supported entirely by advertising, has revolutionized the flow of information but has devastated traditional journalism by giving uniformed bloggers and astroturfing advertising campaigns an equal presence next to legitimate news sources, erasing any sense of journalistic integrity and reputation. It has also enabled widespread content theft, where news and information published by a reputable source at significant cost can be freely plagiarized by anonymous individuals who then get money from their own adjacent ad placements on their “splogs” or spam blogs, something that ad marketers like Google have quietly benefitted from and thus have made little effort to eradicate.

Apple’s simple interactive content formats, paired with its very popular iTunes delivery system, is guaranteed to create a real market for web content independent from contextual advertising. This will enable the company to do an end run around Google’s ad empire and Microsoft’s belated efforts to copy Google, and offer content producers such as newspapers, book publishers, magazine editors, and other vendors of proprietary information a marketplace where they can sell their content directly to consumers, just as Apple provided a functional market to music labels, movie studios, and mobile software developers.

This new strategy appears to be the linchpin that will make Apple’s forthcoming tablet a viable product, as consumers will be buying it not just to surf the ad-sponsored web, but also to navigate a new generation of interactive, animated digital content: newspapers and magazines that incorporate video and voice and hyperlinks just like the web, but without ads. Similar to premium TV channels, this will result in a market for premium content as an alternative to the puerile garbage that fills most of the space between commercials on free TV channels and the web.
“

Continua a leggere

The team from Offensive Security have just announced the opening of explo.it (re-directs to exploits.offensive-security.com, just more memorable). The site is designed as a successor to milw0rm. If you’ve ever browsed the milw0rm site the layout will be instantly familiar.

I think this is great news for the infosec community, not only does the OffSec team always produce high quality output, but it helps provide some stability in the wake of milw0rms recent uncertainty.

At this point the site’s content volume is growing rapidly, when I looked this morning the archives exploits numbered around 9000, already it has reach 10000+, and a refresh of the front page has this number increase a good percentage of the time.

One feature of the site that I do like is a link (where available) to the vulnerable version of the application or code. I believe this will make testing much easier as it removes the need to trawl the web for an often unsupported and unavailable old version of an application. I really hope that this feature will become popular and all/most of the published exploits will link to a download location for retrieving the vulnerable code where possible.

Happy exploiting (in your lab, obviously)

– Andrew Waite

I’ve recently had the pleasure of talking with Leon van der Eijk which resulted in me getting the opportunity to review an article he had been working on. The focus of the article is to identify and collect malware samples from running processes within volatile memory. Given my predilection for malware collection and analysis Leon correctly guessed that I would enjoy the article, which does a great job of describing a method for collecting and analysing malware (and other files and processes) from RAM on a live Windows system

Leon’s method utilises Meterpreter’s memdump.rb script to collect the a snapshot of an infected system’s memory, then utilises Foremost to carve up the collected memory image into individual files which can then be analysed as normal. As the article has just been published today I won’t try to improve on the work already, but I would suggest giving it a read here.

My own forensics skills aren’t yet up to the level that I would like, but I was able to replicate Leon’s process relatively easily within my own lab environment, and without too many problems. This, along with my experience at Northumbria University last week (more later), has re-ignited my interest in improving my forensic skills, and has proved to me that some of the basic skills and techniques involved with the forensic process isn’t all black magic.

The article is definitely worth a read if you have an interest in either computer forensics and/or malware analysis. In case you missed it above, link to article: Carving malware from live memory. Keep up the good work Leon.

– Andrew Waite

Business promotional products are booming in contemporary times.

And why not, they’re extremely impressive and beneficial.

Promotional tool kits refer to products used by companies, in their marketing programs. These items are generally imprinted with the respective company’s name, logo or slogan, to depict the brand’s identity and dissimilarity.

You must be sick of spotting such promotional products all around your home and office, right? That’s exactly how promotional tool kits are different.

How are they different?

They aren’t like useless freebies which lack utility. They’re not another stress ball or show piece that you generally receive in plenty while walking around a trade show.

They’re useful and creative.

Examples of such tool kits would include products like: paper napkins, pen drives, flashlights, plants’ grow cups, pencils and markers, etc. Such products are like to be used by potential customers instead of landing into their dustbins or store rooms!

Hence, they obviously have a better impact over the others.

So, how do you choose the right tool kit for your company?

1)      Take your time.

Yes, take your time to study your target audience and other such strategies. Your tool kit must be in sync with your marketing strategies. For example, if you’re into selling computers, giveaway pen drives with your logo imprinted on it.

2)      Be positive.

Try making it an enthusiastic and positive effort rather than it being preachy. The level of impact and response will be more. For example, that pen drive can have this quote along with the logo: “Thanks for choosing our computer.”

3)      Be distinctive.

Being distinctive and remembered is extremely important. Your promotional tool kit must be appealing enough to be worth using. Be humorous, outrageous, catchy or simply cute. Whatever works for you the best.

As promotional tool kits are all about being innovative, explore it.

It will work wonders if you hit the right note.

Indeed.

Happy promoting!

This is another curriculum recommended by Sherri B.  It can be purchased from this website http://www.creativeartsinaction.com/wonderofwords.htm. I could not find any independent reviews, though the website offers some testimonials.

As I discussed in my last post about Dionaea I am really impressed with the improvements to logging capabilities over Nepenthes. I’ve now had a Dionaea system online for ~24hours, which while it isn’t enough data to draw any meaningful statistics, it has provided enough data to work on some new tools. I had been intending to extend my Nepenthes tools to parse the logs and enter data into a database for additional and simpler analysis. This was promptly squashed with the migration to Dionaea, but the theory has proven to be a good one as Dionaea’s default logging to an SQLite database has made development much quicker and easier.

To get a feel for the new system, and to keep my capabilities up to speed, I’ve spent this evening writing a script to provide the same information for a Dionaea system that my Nepenthes statistics script provided previously. As usual, the script can be found over at InfoSanity, here. An initial set of results from my system is below for an example:

Statistics engine written by Andrew Waite – www.infosanity.co.uk

Number of submissions: 11
Number of unique samples: 10
Number of unique source IPs: 8

First sample seen: 2009-11-09 14:19:15.518382
Last sample seen: 2009-11-10 18:35:28.235052
SystemrRunning: 1 day, 4:16:12.716670
Average daily submissions: 11.0

Most recent submissions:
2009-11-10 18:35:28.235052, 195.90.106.212, emulate://, a4dde6f9e4feb8a539974022cff5f92c
2009-11-10 16:23:12.925538, 195.93.135.67, tftp://195.93.135.67/ssms.exe, 1d419d615dbe5a238bbaa569b3829a23
2009-11-10 16:00:14.846435, 195.170.57.28, tftp://195.170.57.28/ssms.exe, fd28c5e1c38caa35bf5e1987e6167f4c
2009-11-10 15:39:48.598303, 195.46.34.91, http://zonetech.info/61.exe, beee7a74712b2e3c84182c1bf18750ae
2009-11-10 13:00:29.916721, 195.95.170.138, emulate://, ddf1259a8fcef0776054460ebdf3cae4

– Andrew Waite

I’ve known about Vyatta for a while, but whilst the premise has always seemed appealing I’ve not had a reason to dig deeper. Vyatta propose to be ‘The open source alternative to Cisco’, which appeals as a nice fit into a low-cost training and development lab so tonight I decided to take a closer look.

I started by downloading Vyatta’s prebuilt VMware image, which can be downloaded here along with a Xen image and an ISO file for physical install. The VMware image is designed for workstation applications, but a quick run through my new friend in VMware Converter I quickly had the image transfered across to my ESXi based environment and booting without issue.

Vyatta provide a wealth of information in the documentation section (which requires registration, although it did not require the usual ‘activation’ email so dummy values may be enough). I haven’t had a chance to delve fully into the documentation and functionality but starting out has so far been simple enough: Logging onto the Vyatta device at the command-line requires the default user credentials of vyatta/vyatta. Once logged in you can start the configuration by entering ‘configure’

Once in configuration mode setting up interfaces is simple enough:

vyatta@vyatta# set interfaces ethernet eth0 description “WAN”

vyatta@vyatta# set interfaces ethernet eth0 address 192.168.1.254/24

vyatta@vyatta# save

vyatta@vyatta# commit

vyatta@vyatta# exit

Configuring different parts of the system are similarly simple, and with a bit of experience theVyatta systems seems intuitive enough and from basic testing performance is more that adequate, at least for my requirements. The time I’ve spent getting to grips with a new system has paid of so far, and for the time being I have a nice new addition to my lab environment. I’m hoping this system can provide some seperation between between between target/test systems and provide additional realism t my lab.

– Andrew Waite

Buy tools from the tint tool supplier and distributor at Solar Control Films Inc.  The new handled squeegee, fusion 5 is about to come out and buy it while you can, limited supply expected.    Buy these handles because they are designed to optimize your leverage in removing mounting solution during the installation process.  You can get more water out with the fusion 5 when you put the orange crush, blue max or clear max squeegee in it.

The 18 page tool catalog shows all the installation tools that a tinter needs to buy to have great installations.

Buy now and save.

Solar Control Films Inc is your one stop tinting supply warehouse to buy tools with distribution centers in Houston, Texas and St. Louis, Missouri.  Solar Control has over 11,000 square feet of window film supplies to buy including:

• Automotive Tint
• Commercial Window Films
• Residential Films
• Tinting Tools
• Safety Film
• Sun Blocking Films

The tint tools supplied include:  Olfa knives, olfa blades, red dot knife, scrapers, squeegees, 3M Gold Squeegee, spray bottles, blue max, yellow turbo, Stainless Steel blades, carbon blades, best buy stroke doctor, thor’s hammer jr., channels, unger handle, Pro Squeegee, blue turbo blade, slim foot, big foot, red devil, slammer, conquerer, power stroke, 3M wet squeegee, orange crush, hard cards, teflon blades, chizer, EZ reach, diamond tip, contour, black teflon, meters, rulers, markers and more tinting tools to purchase and buy.

Window films include Global’s HP Charcoal, QDP, global gard, dual reflective commercial films, silver reflective, neutral, nano ceramic IR, tranparent films, safety films, uv films and frost widow film to buy and install.

A colleague recently introduced me to scripting with Powershell. After seeing a couple of examples of it’s strength for handling legitimate administration tasks my devious side came into play and I started imaging havok in my head.

As a starting project for getting to grips with Powershell basics I thought I’d try a proof of concept to replicate Meterpreter’s ability to disable AV and other defence mechanisms within the getcountermeasure function. I love meterpreter, but sometimes you need to work with more primitive native tools, as Powershell is starting to be included by default within Windows systems it is now one of the ‘primitive’ tools. My theory was that this should give me a bit of a challange, without jumping in at the deep end.

Well I was wrong, I guess showing the strength of Powershell this proved not to be a challange at all. The code below reads a list of unwanted processes from a text file, and kills the processes. All in four lines of code (I’m told this could be shortened at the expense of readability)

#read list of AV processes to kill
$avprocs = Get-Content AVprocs.txt

#kill all unwanted processes
foreach( $procname in $avprocs)
{
Stop-Process -name $procname
}
#simples…..

The next time you pop a Windows box don’t dispare, there’s more power available than just batch scripts

– Andrew Waite

P.S. Before anyone shouts about aiding skiddies, the above code could have some great legitimate uses as well; from automatically cleaning up infected systems to aiding productivity by adding doom.exe to the list of processes

The possibilities are endless, both good and bad.

I keep one of the 2-Bit tools in my glovebox. It comes in handy when you need a screwdriver or flashlight. The 5303B 2-bit Tool features 2 screwdriver bits, an LED light, a level, and a pocket clip. SwagHound.com is offering the 2-Bit Tool w/ Level for 1.75 each w/ a 250 piece minimum thru 12/31/2009.

As life has become more transient my materials have formed into kits. With printmaking retreats, over an hours traveling time between home and studio and a separate set of clean tools for uni, portability and segregation have become essential. A studio with an uncertain future, the possibility of travel and the prospect of a new home entails the whittling down of things. An antithetical attitude to my early days in art where I hoarded every last stick of charcoal and used canvas, slavering over strange materials in art shops, materials that were never used.

A laptop and digital camera complete the portable studio, occasionally with the assistance of my beloved drop leaf table.

As part of an upcoming project I’ve been playing with some screen capture and editing software. As I’ve never been one for for the graphical/fluffy side of IT it’s a new area for me, and I was shocked with how simple it can be.

For screen capture I used the free CamStudio application, at first try it seems small, lightweight and most importantly simple and intuitive to use.

Finding decent editing software for free was difficult, @usedtire suggested Cinelerra for Linux. From the site it looks to be an impressive application, but I’ll admit I found no easy way to get this running under Debian/Ubuntu and ended up in dependency hell, so I installed Windows Movie Maker thanks to the links/instructions I found here.

Whilst experimenting with my new found tools I’ve created the somewhat obligitory Metasploit tutorials:

• Creating a binary meterpreter payload
• Setting up payload/multi/handler to accept payloads

– Andrew Waite