Author Archive for Francois

Virus definition update on the F-Secure rescue CD

Published on May 23, 2010 in How-to, Security, Software & Tools and Uncategorized. Closed Tags: , , .

So, a co-worker from the office asked me to clean their personal laptop from one of those anti-virus application that install themselves and creates a bunch of pop-ups telling you you are infected.  Obviously, I didn’t want to connect that machine to our corporate LAN, so I figured I should use a rescue CD of some sort that does AV scans.  I was highly recommended to use F-Protect’s rescue CD for this type of malware in my SANS 504 course that I just took last week.

A quick Google search returned a very useful page from techmixer.com titled FREE Bootable AntiVirus Rescue CDs Download List.  This page lists seven freely available Antivirus rescue CD options.  So I downloaded the ISO for F-Protect and burned it to a CD.  Obviously, you want to make sure you are scanning with the latest virus definition update, but since the CD is a read-only media, you can’t update the virus definition on it.  The ISO contains a virus definition file from July 2009, but that’s way to old to be useful.  I tried to follow the instructions that were on the techmixer.com page about F-Protect to use the updates on a USB stick, but without success.  When all else fails, read the instructions.  ;-)

I downloaded the PDF manual from http://www.f-secure.com/linux-weblog/files/rescue_cd_user_guide.20090717.pdf and those instructions, unlike the ones on the techmixer.com ones, instructed to create a fsecure\rescuecd folder on your USB stick.  That way, the virus definition gets expanded to the rescuecd folder as well as the results of the scan is saved in a reports folder.  The trick is to use a USB drive that has nothing else on it.  Why they had to do it that way, I’m not sure.  I wished that it wasn’t so because I would rather carry only one stick instead of dedicating one to having the F-Secure virus definition file.

For those of you who prefer bullets and get ‘er done, here is a step-by-step how-to:

  1. Download the ISO  from the F-Secure web site.  As of this writing, version 3.11 is current.
  2. Burn the ISO to a CD.
  3. Have a FAT formated USB thumb drive with nothing on it.
  4. Create a fsecure folder at the root of the drive.
  5. Create a rescuecd folder in the fsecure folder.
  6. Download the latest virus definition file from F-Secure from http://download.f-secure.com/latest/fsdbupdate9.run
  7. Copy the fsdbupdate9.run to the root of your USB drive.
  8. Plug-in the USB drive on the sick computer and then boot the rescue CD.

F-Secure picked-up that I had a USB drive connected and used the virus definition for the scan.  Simply follow the on-screen instructions and your computer will be cleaned up.

VLC media player auto-update and vulnerability

Published on April 25, 2010 in Patching and Security. Closed Tags: , , , .

I just picked up an advisory from Secunia about VLC Media Player vulnerabilities. There are 9 vulnerabilities. Three are related to A/52, DTS and MPEG audio decoders. Three are about the AVI, ASF and Matroska demuxer. The other three are about the XSPF playlist, the ZIP and RTPM implementation.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.

There is no CVE Reference and unfortunately cannot figure out a CVSS score.  You can find the original advisory (VideoLAN-SA-1003) here:
http://www.videolan.org/security/sa1003.html

There are two interesting things about this one.  One, as of right now (April 25, 2010 at 22:39 GMT-6), the fixed version for Windows (1.0.6) is still not available on the Video LAN web site.  That’s a bit unusual because, typically, the vendor likes to make sure the patch/updated version of the vulnerable software is available before publishing the vulnerability on their on web site.  The second thing that’s interesting is that the auto-update does not seem to work in my installed version (1.0.1).

I thought that maybe I had a problem in my home LAN that caused the auto-update to fail.  I fired up Wireshark and did a quick sniff of the traffic when trying to get VLC to update.  I used the Follow TCP Stream feature and it was quickly apparent that the problem wasn’t with me at all.  The GET that VLC sent got a 206 Partial Content

HTTP/1.1 206 Partial Content
Content-Type: text/plain
Accept-Ranges: bytes
ETag: “3280753111″
Last-Modified: Mon, 01 Feb 2010 23:15:18 GMT
Content-Range: bytes 0-485/486
Content-Length: 486
Date: Mon, 26 Apr 2010 04:24:08 GMT
Server: lighttpd/1.4.19

1.0.5

http://www.videolan.org/mirror-geo-redirect.php?file=vlc/1.0.5/win32/vlc-1.0.5-win32.exe

Due to a bug in the update feature of your on of VLC, the automatic download of the new VLC will fail.

You have to download VLC 1.0.5 from VideoLAN’s website: http://www.videolan.org

VLC 1.0.5 is a minor release of 1.0.x version of VLC. It fixes a few bugs, updates the codecs and the compiler for Windows, and should improve decoding speed. It also improves and update many translations.

Well, might as well download 1.0.5 for now and use the auto-update to check the 1.0.6 fix.

BackTrack 4 Final Released

Published on January 11, 2010 in Security and Software & Tools. Closed Tags: , , .

Sorry for being away for so long (almost a year since the last post).  I have been making sure that this server and WordPress is always up to date even though I was not actively posting.  I’d hate for a blog about IT security to be compromised, especially if I’m the one managing it.

BackTrack dragon headIn any case, it would appear that BackTrack 4 is out of Beta and is available for all to download!  I’m downloading it as I am typing this and will be burning it to a DVD to play with it.  You can download it from http://www.backtrack-linux.org/downloads/.  BackTrack is a great collection of software and tools in a bootable DVD or in a VM.  As described on the BackTrack home page:

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.

Even if penetration testing is not your thing, this is an easy way to get some of the most popular security tools into your hands without having to search and download from all over the Internet.

Enjoy!

Adobe Reader is vulnerable yet again

Published on April 30, 2009 in Patching and Uncategorized. Closed Tags: , , .

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities – less than two months after the JBIG2 vulnerability.  Here’s the low-down.

All currently supported shipping versions of Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1 and
earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions
for all platforms (Windows, Macintosh and UNIX) to resolve this issue.  The vulnerabilities are in the JavaScript engine of the Adobe products.  This, by the way, affects both Adobe Reader and Adobe Acrobat.  The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution.  One way to protect yourself is to disable JavaScript – see the simple instructions from F-Secure.

Many people made this recommendation when the last vulnerability was uncovered (jbig2 vulnerability), but it just seems to be louder this time; find an alternative reader to the Adobe Reader product.  If you need an idea for what is available out there, take a look at PDFreaders.org.  I know that I have made the recommendation where I work, but it might not be that easy.  Corporations sometimes will rely heavyly on Adobe Reader to view custom business forms that are used on a daily basis with customers.  That reliance will often show itself in the in-house applications that make calls directly to the Adobe DLL.

You can read a bit more about the challenges of replacing Adobe Reader and Acrobat here.

The importance of password audits

Published on March 16, 2009 in Strategies. Closed Tags: , .

Have you ever tried to crack your network user’s passwords?  Why would you do that you ask?  Simple, compliance check is one reason.  The other is to better understand what is possible and what kind of password your users are using.  In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.

You might might think that the idea of running a password cracking program on your network users is a waste of time.  In fact, you have to remember that if the bad guys are most likely to use that type of tool, you should use it first.  That way you will know what a black hat will be able to get out our your password database.  Here are a few reasons why you should do regular password audits.

You should not have the false comfort that your network is safe just because you have turned on complex password group policy in active directory.  The rules of complex password in active directory are as follow:

  • The password is at least six characters long.
  • The password contains characters from at least three of the following five categories:
    • English uppercase characters (A – Z)
    • English lowercase characters (a – z)
    • Base 10 digits (0 – 9)
    • Non-alphanumeric (For example: !, $, #, or %)
    • Unicode characters
  • The password does not contain three or more characters from the user’s account name.

Using those rules, that means that the password Password1 is actually a valid password.  How good of a password is that?  This a valid password because active directory does not actually do a password complexity check.  What it does is more accurately described as a password constraint check.  The idea of complex passwords is that it should force users to not use dictionary words as their passwords.  Since it is not practical to have a full dictionary in Active Directory to make sure that passwords are not in the dictionary, the designers simply impose constraints on what your password should be like.  Hence, the complex password group policy constraints as described above.

Another aspect of passwords is that people will tend to re-use the same password everywhere they can.  What this means is that the password is only as strong as the weakest link.  Namely, if you use the same password on a web site that is easily compromised, the black hat will try the newly discovered password on your bank account as well, knowing full well that it is likely going to be the same password.

If you are not willing, or allowed to do a password audit on your network, you really should take a look a studies that were done on passwords that have been revealed because of security breaches.  There has been two recent incidents that are worthy of reading.  One is an article on Dark Reading (http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html) about the phpbb.com web site hack.  The other one is from Bruce Schneier who did an analysis on passwords that were published by people behind a fake MySpace web page used in a phishing campain.

Whenever possible, you should use some kind of two-factor authentication, such as smart cards or an RSA token.

One of the best known password cracking software is L0pthCrack, which used to be owned by Symantec.  L0pthCrack has recently been re-acquired by its original authors.  They intend to update the venerable software and start selling it again.  There is other software that can be purchased (and some free) that can help you audit your user’s password.

Critical Adobe Reader update – Upgrade NOW!

Published on March 11, 2009 in Patching. Closed Tags: , .

If you do nothing else today, make sure you at least upgrade your users to the latest version of Adobe Reader.

The vulnerability was announced back on February 20th, but now Adobe released an update to their Reader product.  You can see the bulletin here:

http://www.adobe.com/support/security/bulletins/apsb09-03.html

There are a few interesting things to note.  As indicated in a post by Ryan Naraine on ZDNet, the updates are for Adobe Reader 9 only.  The most frustrating thing right now is that in their infinite wisdom, Adobe did not provide a patch update for Adobe Reader (a file with the MSP extension) which can be applied to your existing installation of Adobe Reader.  Instead, they simply point to their standard URL to download Adobe Reader.

Acrobat 9 Standard, Acrobat 9 Pro and Acrobat 9 Extended for Windows are all available as MSP patches.

Don’t wait, upgrade your users as soon as you can because this is a nasty one.  Users who download a malicious PDF do not need to open it to fall victim to that flaw.

Hopefully, Adobe will release a patch file for Adobe Reader soon.

Perimeter defense is useless!

Published on March 9, 2009 in Strategies. Closed Tags: , , , , , , , .

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network.  Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened.  Should we ditch the firewall?  No, but you should add more layers to your defense.  In this post, I will list of the defenses you should have in your environment.

Whenever such a user requests to have yet another port to be opened, you should make sure that you restrict as much as possible the end-points that can make use of that port you are opening up. For example, John asks that a port be opened so he can establish a VNP connection from the corporate LAN to a business partner, you should make sure that only John’s IP address is allowed to use that port and that there is only one outside IP address that John can reach on that port.

Firewall management is not what keeps me up at night though. What keeps my up at night is the fact that it is so easy to create tunnels from inside my network to the outside over well known ports, such as port 80 or 443 in order to access anything that you would normally block at the firewall. That plus the fact that now you cannot browse most web sites with first installing such things as Flash player and Adobe PDF reader.

A recently vulnerability in Adobe Reader for which there is no patch as of now (Adobe said they will release one on March 11th) is a rather scary one.  This type of vulnerability can be exploited without the user even opening the malicious PDF! How can you defend yourself against that?!  You should have as many layers as possible in order to prevent that malicious PDF from succesfully penetrate your network.  The Verison Business Security Blog has a very good list of steps that can be taken to protect yourself against that threat.  of course, you could always drop Abode Reader altogether.

In general though, that approach can be applied against any threats.  Here are the different layers you should have in place in order of priority:

  1. A firewall.  I would venture to guess that everyone out there has that one in place.  Make sure that a regular review of what rules you have in place is done.
  2. Intrusion Detection (IDS) or better yet, Intrusion Prevention (IPS).  If you can affort it, TippingPoint is probably a leader in that field and works great.  At the very least, you should have Snort in your network.
  3. Don’t allow your users to be local administrators.  Most of the people that get infected with malware  and virus are logged on with local administrator rights.  That’s a very bad idea.  Lock down those users!
  4. Anti-Virus on every machines.  AV is not perfect as it is a reactive technology, but it will catch a lot of what is out there.  Anti-Virus products now can do more than just detecting and cleaning virus.  The can block use of certain ports on your hosts (such as port 25 for e-mails or ports typically used for IRC).
  5. Host-based Intrusion Detection System (HIDS).  This technology is starting to catch on in corporate environments.  This is basically the equivalent of having ZoneAlarm on each desktop, but centrally managed by the corporate IT.
  6. Last but not least, patching!  Make sure that you are current in your OS patches and your application patches.  That is not always easy in corporate environment since it sometimes requires careful testing and planning.

In my experience, the mobile users are the weak links.  Once they take their laptops outside of the corporate LAN, many of those defensive layers, such as IPS and the firewall, are no longer there to protect them.  That’s why you need to have strong defenses on the workstations, such as disk encryption and HIDS.

Can anyone think of other layers that should be in place?

Disection of a web based infection

Published on February 21, 2009 in Security. Closed Tags: , , , .

Gone are the days where you actually had to convince someone to open your malicious e-mail attachment to get malicious software installed. Now all you need is to browse a compromised web site and you can become a victim in a matter of seconds. This post will dissect the home page of such a web site and explain the different ways that bad guys are trying to install their malicious software onto your computer.

I was alerted to this compromised web site when our anti-virus console sent me an e-mail because it blocked a trojan on a user’s machine. This e-mail also included the URL of the compromised web site. The trojan is known as JS/Obfuscated by McAfee or JS.Obfuscated.Gen by Bit Defender. The anti-virus actually is able to detect the way the code on the web page has been obfuscated by the author.  This web page only got a 12.83% coverage amongst 39 different AV engines according to Virus Total.  I can only hope that the AV that did not catch that compromised web page will catch whatever the web page will download on the user’s computer before it causes real damage.

You would think that it would be easy to convince the owner of the web site to take action.  Unfortunately, it is not so.  I phoned them personally on Wednesday, Feb. 11.  I actually got a call back on Tuesday, Feb. 17.  I gave the details to the web master.  As of right now (Feb. 21), the site is still has the malicious JavaScript on its home page.  The site is at www dot airdrietrailer dot com and you should not browse it with Internet Explorer on Windows.  You are likely to get infected (especially if you do not keep up with patches).  I took a closer look at the malicious code and it tries to infect you through multiple attack vector, but those are specifically targeting IE.  The nice lady at Airdri Trailer Sales told me that she had already received calls from other people also telling her that their web site is infecting people, but their webmaster could not find what the problem was.

Here is a quick summary of how the infection works:

  1. The web site is somehow compromised and web page(s) modified to inject iFrame into each page on the site.
  2. A user browse the web site, the injected JavaScript code is executed, creating the iFrame which connect to a malicious site to download more code.
  3. The downloaded code is executed and tries multiple attack vectors in order to write to your hard drive.  If one of those vulnerabilities work, a payload is downloaded and executed on your computer.

And voila!  You have been p0wned.

Dissecting the attack

The malicious code is tacked at the bottom of the web page. The code is in two <script></script> blocks.  It is obfuscated by having a bunch of gibberish assigned to variables.  There is actually a bit of code visible in that gibberish, just enough to remove the obfuscation, which is rather simple.  Using the Malzilla tool, it makes it easy to see the code.  The first block reveals how it will de-obfuscate the code.  There are four block of codes that will be de-obfuscated by doing a string substition.  Here are some of the string that are replaced.

  1. Replace aHM with a % character
  2. Replace Zm with the D character
  3. Replace ouG with a % character
  4. Replace tr4 with a 3 character
  5. Replace %P5 with a 2 character
  6. there are more such substitions

All of those strings are then unescaped, and passed to the eval() function to be executed.  That’s where the real action is.

  1. The first block inserts a <BODY> </BODY> and a <DIV> tag into the web page if it finds that the body is empty.
  2. The second block gets a pointer to that DIV and saves it to a variable.  As well, it creates an iFrame element and sets it to a size of 1×1 and sets the source to point to a malicious web site (store16 dot looneytoons dot cc).  Doing a whois on that site reveals that it is a legitimate site registered by Warner Brothers.  Although there is a web server there, it does not return anything as of right now.
  3. Finally, the third block set the iFrame to hidden, gives it an id and appends it to the DIV created in the first block of code.

Since the iframe src attribute is pointing to malicious site, it populates itself with new HTML wich includes more JavaScript.  At that point, the code tries a few number of things in order to gain access to the operating system to enable to write files to your hard drive.  In fact, some of the code looks very much like it was borrowed from the Metasploit framework.  Here are all of the attack vectors that this code tries to exploit:

  1. Flash ActiveX if the version less than 9.0.124
  2. Adobe Reader
  3. Microsoft Office snapshot viewer ActiveX exploit (MS08-041 will protect you)
  4. AOL SB.SuperBuddy ActiveX code found in AOL Client Software 9.0 Security
  5. QuickTime
  6. Microsoft DirecAnimation ActiveX (MS06-067 will protect you)
  7. An oldie but goodie, Microsoft DDS Library Shape Control which was part of Visual Studio 2002 (MS05-052 will protect you)
  8. Windows Sell Remote Code Execution Vulnerability (MS06-57 will protect you)

Bottom line, if you are up to date on patches, you will not have problems.  The trick is to update not only Windows, but all your software you have on your computer.  Not so easy as most people do not really know what actually have installed over time.  The best thing you can do is to visit Secunia Software Scanning and use their scanner.  It will tell you all the software you have installed that requires updates.  If you actually download and install their software, it will keep track of what you have and let you know when there are new updates.

I do have the JavaScript saved, let me know if you would like to see it.

Time to patch your printers

Published on February 9, 2009 in Patching. 1 Comment Tags: , , , .

This might surprise some, but printers need patching too.  The rule of thumb you should use is if it has an IP address, then it can be vulnerable and will most likely require a patch at some point in time.

SANS handler’s diary has just published such a story – Time to patch your HP printers.  The actual HP bulletin is here.  Looks like PC Advisor also picked up the story.

The easiest way to do the firmware upgrade is to use HP’s Web Jetadmin.  Using Web Jetadmin, you can discover all your printers on your LAN and remotely do firmware upgrades.

Although this vulnerability only allows the bad guys to access any files on the printer (and therefore view previously printed documents), I can foresee printers being used as a staging point for more serious things.  The reason is that printers have not received the same amount of scrutiny that workstations/serves have and most likely are softer targets.  As well, printers do not run anti-virus or other kind of defensive software.  So what should you do?  Here are a few things that will harden your printers:

  1. Use a central management console like Web Jetadmin.  This will allow you to discover any new printers added and to easily deploy the latest firmware.
  2. Keep up with the firmware releases.  This is probably a difficult one to do, especially if you use printers from a number of vendors.  You should at least do a round of patching once a year.
  3. Scan your printers for vulnerabilities.  Make sure to use a tool that can differentiate between a printer device and a workstation.  If it doesn’t, scanning can lead to lockups and rebooting of your printers.  Not so good if it’s in the middle of printing a big color job by your boss.  Nessus scanner is one such scanner.  Be warned that scanning your printer will probably cause it to print a few pages.

If anyone else has anything else that they do to harden their printers, please use the comments below.

Web content filtering without installing any software

Published on February 8, 2009 in Networking. 2 Comments Tags: , , .

If you could protect your whole network from malware, adware, porn and other web sites that should not ever be viewed by employees or children, wouldn’t you do it?  What if I told  you that you can, and you don’t even have to install any software anywhere in your network?  I usually go by the old adage that if it sounds to good to be true, it probably is.  This is one time where that’s not true.

My secret weapon is called OpenDNS.  I use pfSense firewall at home and I also have installed this great freeBSD based firewall at three other customer’s sites.  Although the ISP for each of these sites supply their own DNS server, I do not point the firewall to their DNS.  I simply set the DNS server address on the General Setup page to point to

  • 208.67.222.222
  • 208.67.222.220

Using OpenDNS does not really slow things down in any way (not that anybody can truly notice anyway).  Also, OpenDNS is introducing a free service to protect you from the Conficker worm.  Read this post from The Register to see all of the details.  Go on and create yourself an account on OpenDNS.  You’ll be able to do filtering based on 27 categories.  The service you get for free from these guys is top notch.

Update: Looks like has just published a very concise page about the Conficker worm and how to deal with it.  Check it out at http://technet.microsoft.com/en-us/security/dd452420.aspx

Update (Feb. 10): Looks like OpenDNS official blog has more information about their new feature.


Use OpenDNS

Add IT a digital life Mippin widget