Rabu, 15 Februari 2012

Practical Malware Analysis Book Promotion

I'm very pleased to share news of an awesome new book titled Practical Malware Analysis by Michael Sikorski and Andrew Honig. The authors will present a Webinar on their book on Wednesday 29 February at 2 pm eastern. I was pleased to write the foreword, which ends with these words:

If the malware authors are ready to provide the samples, the authors of the book you’re reading are here to provide the skills. Practical Malware Analysis is the sort of book I think every malware analyst should keep handy. If you’re a beginner, you’re going to read the introductory, hands-on material you need to enter the fight. If you’re an intermediate practitioner, it will take you to the next level. If you’re an advanced engineer, you’ll find those extra gems to push you even higher—and you’ll be able to say “read this fine manual” when asked questions by those whom you mentor.

Practical Malware Analysis is really two books in one—first, it’s a text showing readers how to analyze modern malware. You could have bought the book for that reason alone and benefited greatly from its instruction. However, the authors decided to go the extra mile and essentially write a second book. This additional tome could have been called Applied Malware Analysis, and it consists of the exercises, short answers, and detailed investigations presented at the end of each chapter and in Appendix C. The authors also wrote all the malware they use for examples, ensuring a rich yet safe environment for learning.

Therefore, rather than despair at the apparent asymmetries facing digital defenders, be glad that the malware in question takes the form it currently does. Armed with books like Practical Malware Analysis, you’ll have the edge you need to better detect and respond to intrusions in your enterprise or that of your clients. The authors are experts in these realms, and you will find advice extracted from the front lines, not theorized in an isolated research lab. Enjoy reading this book and know that every piece of malware you reverse-engineer and scrutinize raises the opponent’s costs by exposing his dark arts to the sunlight of knowledge.

To announce the book, the publisher is running this promotion: Use discount code REVERSEIT to get 40% off Practical Malware Analysis. One week only! Free ebook with all print book purchases.

The authors also started a new blog at practicalmalwareanalysis.com.

Selasa, 14 Februari 2012

Happy Valentines day!

Wishing you a happy Valentines day from Tutorial Geek!

Before

After

Before

After

Check out this tutorial if you would like to see how to do this yourself.

Senin, 13 Februari 2012

I Want to Detect and Respond to Intruders But I Don't Know Where to Start!

"I want to detect and respond to intruders but I don't know where to start!" This is a common question. Maybe you have a new security role in an organization, or a new service or business in your current organization, or some other situation where you want to find and stop attackers. However, you have no idea where to begin. Do you have the data you need? If not, what should you add? What do intrusions look like in the data you collect?

These questions can be tough to answer from a purely theoretical perspective. I propose the following approach.

First, conduct a tabletop exercise where you simulate adversary actions. At each stage of the imagined attack, consider what evidence an intruder might create while taking actions against your systems. For example, if you are trying to determine how to detect and respond to an attack against a Web server, you're almost certainly going to need Web server logs. If you don't currently have access to those logs, you've just identified a gap that needs to be addressed. I recommend this sort of tabletop exercise first because you will likely identify deficiencies at low cost. Addressing them might be expensive though.

Second, conduct a technical exercise where a third party simulates adversary actions. This is not exactly a pen test but it is the sort of work a red team conducts. Ask the red team to carry out the attacks you previously imagined to determine if you can detect and respond to their activity. This should be a controlled action, not an "anything goes" event. You will see whether the evidence and processes you identified in the first step help you detect and respond to the red team activity. This step is more expensive than the previous because you are paying for red team attention, and again fixes could be expensive.

Third, you may consider re-engaging the red team to carry out a less restrictive, more imaginative adversary simulation. In this exercise the red team isn't bound by the script you devised previously. See if your improved data and processes are sufficient. If not, work with the red team to devise better detection and response so that you can handle their attacks.

At this point you should have the data and processes to deal with the majority of real-world attacks. Of course some intruders are smart and creative, but you have a chance against them now given the work you just performed.

Sabtu, 04 Februari 2012

Impressions: Network Warrior, 2nd Ed

Five years ago I reviewed the first edition of Network Warrior by Gary A. Donahue. Thank to O'Reilly I can post my "impressions" of the second edition of this great book. Although I read almost all of it, I am unable to post another review because Amazon.com has my previous review attached to the new edition.

In brief, Network Warrior, 2nd Ed is the book to read if you are a network administrator trying to get to the next level. All of my praise from the previous review apply to the new book. The book is really that good, primarily because it combines very clear explanations with healthy doses of real-world experience. Thanks to Mr Donahue for taking the time to update his book!

Impressions: Windows Sysinternals Administrator's Reference

Mark Russinovich and Aaron Margosis have written another awesome addition to the Microsoft Press catalog, Windows Sysinternals Administrator's Reference. Per my policy, because I did not read the whole book I am only posting "impressions" here and not a full Amazon.com review.

In brief this book will tell you more about the awesome Sysinternals tools than you might have thought possible. One topic that caught my attention was using Process Monitor to summarize network activity (p 139). This reminded me of Event Tracing for Windows and Network Tracing in Windows 7. I remain interested in this capability because it can be handy for incident responders to collect network traffic on endpoints without installing new software, relying instead on native OS capabilities.

I suggest keeping a copy of this book in your team library if you run a CIRT. Thorough knowledge of the Sysinternals tools is a great benefit to anyone trying to identify compromised Windows computers.

Impressions: The Tangled Web

Six years ago I reviewed Michal Zalewski's first book, Silence on the Wire. Michal is a security researcher who has consistently created high-quality content for a very long time, so I was pleased to receive a review copy of his newest book The Tangled Web.

I did not read the whole book, hence I'm posting only my "impressions" here. I recommend reading this book if you want to know a lot, and I mean a lot, about how screwed up Web browsers, protocols, and related technologies truly are. Because many points of the book are tied to specific browser versions, I suspect its shelf life to degrade a little more rapidly than some other technical titles. Still, I am shocked by the amount of research and documentation Michal performed to create The Tangled Web.

As always, Michal's content is highly readable, very detailed, and well-sourced. It's a great example for other technical authors. Great work Michal!

The Toughest Question in Digital Security

The toughest question in digital security is "who cares?"

The recent Tweet by hogfly (@4n6ir) made me ponder this question. He points to an Aviation Week story by David Fulghum, Bill Sweetman, and Amy Butler titled China's Role In JSF's Spiraling Costs. It says in part:

How much of the F-35 Joint Strike Fighter’s spiraling cost in recent years can be traced to China’s cybertheft of technology and the subsequent need to reduce the fifth-generation aircraft’s vulnerability to detection and electronic attack?

That is a central question that budget planners are asking, and their queries appear to have validity. Moreover, senior Pentagon and industry officials say other classified weapon programs are suffering from the same problem. Before the intrusions were discovered nearly three years ago, Chinese hackers actually sat in on what were supposed to have been secure, online program-progress conferences, the officials say.

The full extent of the connection is still being assessed, but there is consensus that escalating costs, reduced annual purchases and production stretch-outs are a reflection to some degree of the need for redesign of critical equipment. Examples include specialized communications and antenna arrays for stealth aircraft, as well as significant rewriting of software to protect systems vulnerable to hacking.

It is only recently that U.S. officials have started talking openly about how data losses are driving up the cost of military programs and creating operational vulnerabilities, although claims of a large impact on the Lockheed Martin JSF are drawing mixed responses from senior leaders. All the same, no one is saying there has been no impact.

While claiming ignorance of details about effects on the stealth strike aircraft program, James Clapper, director of national intelligence, says that Internet technology has “led to egregious pilfering of intellectual capital and property. The F-35 was clearly a target,” he confirms.

The point of this article is to question the impact, in business and operational terms, of the cyberwar China continues to prosecute against the West.

The toughest question in digital security is "who cares" because it is usually extremely difficult to determine the impact of an intrusion. Consider the steps required to define the business and operational impact of the theft of intellectual property (as one example -- there are many others).

  1. The victim must learn that an intrusion occurred.
  2. The victim must determine exactly what IP was stolen.
  3. The victim must understand the adversary's capability and intention to exploit the stolen IP.
  4. The victim must recognize when the adversary exploits the stolen IP by using it in an operational context.
  5. The victim must determine what countermeasures or changes in courses of actions are possible to mitigate the adversary's exploitation of the stolen IP.
  6. The victim must synthesize most or all of the previous points into an assessment of the business and operational cost of the IP theft.

Steps 1 and 2 are largely technical, but 3-6 are more business-focused. From what I have seen, everyone who is a victim in the ongoing cyberwar struggles to conduct "battle damage assessment" (BDA) for digital intrusions. Articles like the one I cited are examples showing how difficult it is to determine if anyone should care about China's exploitation of Western IP.

Jumat, 03 Februari 2012

Evtsys Part I


Eventlog-to-syslog  was a Purdue university project that has been taken up by Sherwin Faria for Google Code  and recently updated. The project is Windows 7 compliant and helps solve processing audit policies that produce large number of log entries like the commands:

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable

or the all inclusive:

auditpol /set /category:*


To use evtsys, I install Cygwin with syslog on my local Win 7 host, configure as needed /etc/syslog.conf, and start the syslog daemon ('net start syslogd'). Then I install Event-to-syslog, configure evtsys.cfg, start evtsys (-i to install as service or  -d debug mode) and invoke gawk/bash incantations on a messages file to handle queries.  These tools give me several advantages over other tool sets ('Get-winevent','psloglist', 'eventviewer') designed to query Windows events logs: fast, elegant, text based storage and filtering.   Through the  syslog facility, network message passing is possible. The default installation configures as such in the registry where these values can be changed [from Powershell], presumably after restarting the service:

PS C:\Windows\system32> gci registry::HKLM\Software\ECN\EvtSys\

    Hive: HKLM\Software\ECN\EvtSys

Name                           Property
----                           --------
3.0                            Facility       : 3
                               LogHost        : 127.0.0.1
                               LogHost2       :
                               LogHost3       :
                               LogHost4       :
                               Port           : 514
                               StatusInterval : 0
                               QueryDhcp      : 0
                               LogLevel       : 0
                               IncludeOnly    : 0
                               Tag            :
                               MaxMessageSize : 1024
                               EnableTcp      : 0

PS C:\Windows\system32> set-itemproperty -path HKLM:Software\ECN\EvtSys\3.0\ -name Facility -value 5
PS C:\Windows\system32> gci registry::HKLM\Software\ECN\EvtSys


    Hive: HKLM\Software\ECN\EvtSys


Name                           Property
----                           --------
3.0                            Facility       : 5
                               LogHost        : 127.0.0.1
                               LogHost2       :
....

They can also be configured by the command line installation:

PS C:\Windows\system32> evtsys /?
Version: 4.4 (64-bit)
Usage: C:\Windows\system32\evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port]
       [-t tag] [-s minutes] [-l level] [-n]
  -i           Install service
  -u           Uninstall service
  -d           Debug: run as console program
  -h host      Name of log host
  -b host      Name of secondary log host
  -f facility  Facility level of syslog message
  -l level     Minimum level to send to syslog.
               0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info
  -n           Include only those events specified in the config file.
  -p port      Port number of syslogd
  -q bool      Query the Dhcp server to obtain the syslog/port to log to
               (0/1 = disable/enable)
  -t tag       Include tag as program field in syslog message.
  -s minutes   Optional interval between status messages. 0 = Disabled

Default port: 514
Default facility: daemon
Default status interval: 0
Host (-h) required if installing.

Check.c of the 4.0 code shows the conversion table for the facility levels:

/* Facility conversion table */
static struct {
        char * name;
        int id;
} FacilityTable[] = {
        { "auth", SYSLOG_AUTH },
        { "authpriv", SYSLOG_AUTHPRIV },
        { "cron", SYSLOG_CRON },
        { "daemon", SYSLOG_DAEMON },
        { "ftp", SYSLOG_FTP },
        { "kern", SYSLOG_KERN },
        { "local0", SYSLOG_LOCAL0 },
        { "local1", SYSLOG_LOCAL1 },
        { "local2", SYSLOG_LOCAL2 },
        { "local3", SYSLOG_LOCAL3 },
        { "local4", SYSLOG_LOCAL4 },
        { "local5", SYSLOG_LOCAL5 },
        { "local6", SYSLOG_LOCAL6 },
        { "local7", SYSLOG_LOCAL7 },
        { "lpr", SYSLOG_LPR },
        { "mail", SYSLOG_MAIL },
        { "news", SYSLOG_NEWS },
        { "ntp", SYSLOG_NTP },
        { "security", SYSLOG_SECURITY },
        { "user", SYSLOG_USER },
        { "uucp", SYSLOG_UUCP }
};

You can test them with the debug (console) option. However, the console will not return all messages.

evtsys -d -h RMFVPC -p 514
Checking ignore file...
Feb  3 10:13:26 RMFVPC Eventlog to Syslog Service Started: Version 4.4 (64-bit)
Feb  3 10:13:26 RMFVPC Flags: LogLevel=0, IncludeOnly=False, EnableTcp=False, IncludeTag=False, StatusInterval=0

To see all messages, you can tail /var/log/messages with or without text filtering:

rferrisx@rmfvpc /var/log

$ tail -f messages | gawk '{print $1,$2,$3,$4,$5,$6,$7}'
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5156:
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5152:
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5152:
...
Feb 3 13:24:37 rmfvpc RMFVPC Security-Auditing: 5156:
Feb 3 13:24:37 rmfvpc RMFVPC Security-Auditing: 5152:
Feb 3 13:24:38 rmfvpc RMFVPC Security-Auditing: 4688:

Searching the Messages file with  gawk is fast, most probably faster than with 'get-winevent', 'psloglist', or eventvwr filters:

gawk -F":" '{print $4}' Messages | sort -nr | uniq -c | sort -nr

145530  5156
137132  5447
 81992  5158
  9393  5154
  7397  5152
  5754  4688
  5475  4689
  2988  4957
  ...

gawk -F":" '$4 == 5156 {print $10,$11,$12,$13,$14,$15}' Messages

Outbound Source Address  192.168.0.11 Source Port  137 Destination Address  192.168.0.255 Destination Port  137 Protocol  17
Inbound Source Address  192.168.0.255 Source Port  137 Destination Address  192.168.0.11 Destination Port  137 Protocol  17
Inbound Source Address  192.168.0.255 Source Port  137 Destination Address  192.168.0.11 Destination Port  137 Protocol  17
Inbound Source Address  192.168.0.255 Source Port  137 Destination Address  192.168.0.11 Destination Port  137 Protocol  17
Inbound Source Address  239.255.255.250 Source Port  1900 Destination Address  192.168.0.1 Destination Port  1900 Protocol  17
Inbound Source Address  239.255.255.250 Source Port  1900 Destination Address  192.168.0.1 Destination Port  1900 Protocol  17
....

gawk -F":" '$4 == 5156 {print $13}' Messages | gawk '{print $1}' | sort -nr | uniq -c | sort -nr
  69562 192.168.0.1
   5992 192.168.0.11
   4020 127.0.0.1
   3765 6172
   3694 192.168.0.5
   2950 192.168.0.255
  ...

gawk -F":" '$4 == 5158 {print $11}' Messages | gawk '{print $1}' | sort -nr | uniq -c | sort -nr | more
   23
    7 514
    6 1434
    5 49154
    5 49153
    4 63982
    4 60711
    4 58924
  ....

gawk -F":" '$4 == 5447 {print $18,$19}' Messages | sort -nr | uniq -c | sort -nr
  29026  Media Center Extenders - WMDRM-ND/RTP/RTCP (UDP-In) Type  Not persistent Run-Time ID
  10186  File and Printer Sharing (Spooler Service - RPC-EPMAP) Type  Not persistent Run-Time ID
  10061  Media Center Extenders - RTSP (TCP-In) Type  Not persistent Run-Time ID
   5889  Boot Time Filter Type  Not persistent Run-Time ID
   2967  Port Scanning Prevention Filter Type  Not persistent Run-Time ID
   2201  Microsoft Visual Studio 11 Developer Preview Remote Debugger Discovery (devenv.exe) Type
   2111  Query User Type  Not persistent Run-Time ID
   1714  Network Discovery (SSDP-In) Type  Not persistent Run-Time ID
  ....