Wednesday, August 25, 2010

Rule Release for Today, Wednesday August 25th, 2010

Adobe, vulnerabilities in Director, no kidding. Who would've thought that? Well, rules are out.

Check it out here: http://www.snort.org/vrt/advisories/2010/08/25/vrt-rules-2010-08-25.html

Wednesday, August 18, 2010

Rule Release for Today, Wednesday August 18th, 2010

Maintenance release this one, some new rules, some modifications, check it out here: http://www.snort.org/vrt/advisories/2010/08/18/vrt-rules-2010-08-18.html

Monday, August 16, 2010

ClamAV Release Announcements

ClamAV for Windows 2.0 has officially launched. This version contains a new GUI, numerous new detection features, a new prevention engine, and a ton of other features. Check out ClamAV for Windows 2.0 (here)

New Features Include:
  • New GUI - Completely new UI for a better user experience.
  • Community Visualization – Graphical representation of your community and an understanding of the threat landscape. Know where you, your country, and your community stand in relation to the rest of the world.
  • Community Notices – Stay up to date on the latest ClamAV for Windows news, emerging threats, and other relevant information.
  • New SPERO Engine – A new machine learning prevention and detection engine.
  • Enhanced companion support – Additional support of companion AV.

Not Familiar with ClamAV for Windows?
If you’re not one of the 150,000 current ClamAV for Windows 1.0 users and you have no idea what ClamAV for Windows is, here is a quick overview. It is a free real-time desktop antivirus with some really innovative and unique features.

Including but not limited to:
  • Fast Cloud based protections – ClamAV for Windows leverages the speed of cloud computing to deliver real-time protection to your PC
  • Light – ClamAV for Windows is up to 35 times lighter than traditional antivirus solutions.
  • Real-time – ClamAV for Windows provides cloud-based protection that is always up-to-date against viruses, spyware, bots, worms, Trojans, keyloggers without the need to download virus signatures every day.
  • Companionship – ClamAV for Windows is compatible with existing antivirus products to help protect you better. What is better than some extra, free protection?
  • Community Aware – ClamAV for Windows allows you to setup a community of friends, family, and associates that help you detect new threats in your community. Protection one, protect everyone.

Not Done Yet
ClamAV 0.96.2 has also been released, if you use ClamAV on your mail gateway, web proxy, desktop scanner, or anywhere it is time to upgrade to the latest version. Highlights of the release include:
  • Extended PDF parsing and extraction
  • Speed improvements on DB loading
  • Improved handling of Safebrowsing DB
  • Bytecode clean ups and improvements
  • Improved memory usage and speed improvements (40MB less than 96.1)

Numerous platform specific bugs, functionality bugs, and minor enhancements were also added. Please see the ClamAV bug tracker for complete details. Special thanks to all the users that added bugs and feature requests, we appreciate your feedback and support.

Still Not Done:
The roadmap for ClamAV for Windows 3.0 has been finalized. In November of 2010 we’ll be releasing a fully integrated version of ClamAV for Windows that contains LibClamAV. You’ll be able to use all your custom ClamAV signatures, the standard ClamAV signatures, and 3rd Party signature with ClamAV for Windows. Keep a look out for more details on ClamAV for Windows 3.0 on the VRT Blog.

Finally Done:
As always, the Sourcefire VRT appreciates your support, use, and continued involvement in the ClamAV community. If you have bugs, feature requests, or cool ideas please check out the bug tracker and open your requests here.

Friday, August 13, 2010

Malware on Android? Big deal!

Malware and Google's Android OS are two of my favorite things to play with. You would think that when I heard that there was a Trojan in the wild targeting Android devices, I'd be all over it. Indeed, I was. But I was not happy because I just don't like the sound of "malware" and "Android" in the same sentence. I got a copy of the Trojan (MD5: fdb84ff8125b3790011b83cc85adce16) and proceeded to dissect it. Most Android applications are distributed in the form of Android Packages (.apk), and this was no exception. Apk files can be opened with dexdump, a tool provided by Google as part of the Android SDK. On my workstation, it's located under:
android-sdk-linux_86/platforms/android-6/tools
Let's run dexdump with the following options on the Trojan "RU.apk" and redirect the output to a file:
./dexdump -d -f -h ~/Desktop/RU.apk > ~/Desktop/out.txt
Going through the output and looking for the "onCreate" method, which is the method used to initialize activity, I found
[00083c] org.me.androidapplication1.HelloWorld.onCreate:(Landroid/os/Bundle;)V
HelloWorld?! What? Was this written by a n00b who copied the example project HelloWorld? The following was also found:
[000924] org.me.androidapplication1.MoviePlayer.onCreate:(Landroid/os/Bundle;)V
OK, MoviePlayer is the name of the application. I guess it must be some sort of movie player. This is confirmed by the presence of:
000c: const-string v2, "Нажмите ок для доступа к видеотеке" // [email protected]
That is Russian for "Click OK to access the video library" (thanks Google Translate). On "create", the function DataHelper.canwe() is invoked:
00094c: 6e10 1900 0600 000c: invoke-virtual {v6}, Lorg/me/androidapplication1/DataHelper;.canwe:()Z // [email protected]
The function checks a SQLite DB for the presence of "was" in table1 (yes, quite an interesting way to see whether the app was run before). If the application had never been run on the device a function call is made to SmsManager.sendTextMessage:
001f: invoke-virtual/range {v0, v1, v2, v3, v4, v5}, Landroid/telephony/SmsManager;.sendTextMessage
This function call is made 3 times with short codes as the destination phone numbers: 3353, 3354 and 3353 again. The content of the each of these short messages is "798657".

So what would have happened had an unsuspecting user installed this application? The victim would have installed what appeared and pretended to be a benign application on his/her Android device. Instead of acting as a movie player the application would have sent 3 SMS messages to those short codes. This Trojan targets Russian speaking users and so the likelihood is that it is mostly going to be installed on handsets in Russia. According to Wikipedia, "the cost of the call or SMS to the short number varies from 1.2 to 300 rubles", which is between USD 0.03 and USD 9.8. The end result is that the victim wouldn't have a movie player on their handset, but would have been scammed out of money instead.

While this is certainly one of the first (or the first) Trojan found in the wild that targets Android, it's quite surprising how news outlets covered this story. The hype made it almost seem like there had never been malware targeting mobile devices before. Just a month ago, there were reports of malware affecting Symbian devices to create a botnet capable of sending SMS messages from compromised devices. Don't forget, Symbian is the top OS for phones based on market share.

In late 2009, a spyware application for BlackBerry OS called PhoneSnoop was making making the headlines. It allowed a third party to listen in on any calls on the compromised phone. Finally, let's not forget about Ikee, the iPhone worm that was "rickrolling" jailbroken devices in Australia.

As for this this Android SMS Trojan, it's been reported that it was not available for download through Google's official directory for applications called the Android Market, and so users who got infected had no business downloading .apk files from other sources. Well, some developers such as Gameloft choose not to publish their app through the Android Market for whatever reason, so you would have get their software from a location other than the Android Market. Then there is the fact that downloading an application from the Android Market does not guarantee that the application will behave exactly the way you expect based on its name and description. In fact, "Google does not intend, and does not undertake, to monitor the Products or their content" per their developer distribution agreement. Furthermore, "if Google is notified by you or otherwise becomes aware and determines in its sole discretion that a Product [...] is deemed by Google to have a virus or is deemed to be malware, spyware or have an adverse impact on Google's or an Authorized Carrier's network [...] Google may remove the Product from the Market". I think that's pretty clear and doesn't require any further explanation. What I get from this is that one should proceed cautiously if installing an application by an unknown developer from the Android Market that has been downloaded by a small number of people.

In comparing two dominant players in the mobile application arena, Google and Apple have very different approaches when it comes to how they've implemented their application stores. One leaves it up to the end users to review and comment on apps, whereas the other wants full control on what app gets approved for their store. Both sides have their share of fanboys and I am not here to determine which one is the best. I do wonder though, if from a security point of view, the best solution doesn't lie somewhere in the middle of these two approaches.

What did all this teach us? Simply that you should be aware that your smartphone is a prime target for attackers. Not only are smartphones more powerful than even the most powerful desktop computers from a few years ago, but they also provide easy access to your address book, your email accounts and social network accounts. With smartphone sales about to surpass worldwide PC sales by the end of 2011, it's not difficult to see how more vulnerabilities will be found and exploited in mobile devices, and how more malware targeting smartphones will be found in the wild. As always, we strongly recommend that you know and trust the wireless hotspot you are connecting your phone to, that you install trusted apps and that you browse trusted websites.

Thursday, August 12, 2010

Rule Release for Today, Thursday August 12th, 2010

Adobe, HP and Symantec products have issues, we have rules, check it out here:

http://www.snort.org/vrt/advisories/2010/08/12/vrt-rules-2010-08-12.html

Snort 2.9 Essentials: The DAQ

The recently released Snort 2.9 Beta introduces the Data AcQuisition library (DAQ), for packet I/O. The DAQ replaces direct calls into packet capture libraries like PCAP with an abstraction layer that make it easy to add additional software or hardware packet capture implementations. DAQ 0.1 supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing.

So why the change? The DAQ is essentially an abstraction layer and a suite of pluggable modules that can be selected at run-time. This makes switching from passive to inline mode easy, and not require a recompile of the snort core. Additionally, it adds AFPACKET support which makes it really easy to stand-up an inline sensor without mucking around with iptables, setting up queues, and other administrative tasks. Finally, the DAQ is modular and easy to work with, if there is some special network capture card you need to support adding a module for it is relatively straight forward.

USAGE : Building the DAQ Library and DAQ Modules
  • Download the DAQ from snort.org it is called daq-0.1.tar.gz
  • Unpack it tar -xvzf ./daq-0.1.tar.gz

Meet the following minimum requirements:
  • PCAP ≥ 1.0.0. PCAP 1.1.1 is available at the time of this writing and is recommended.
  • libdnet is required for IPQ and NFQ DAQs. If you run into any errors, check the DAQ distro README for tricks I used.
  • libnet is no longer required. Gone Gone Gone, and there was much rejoicing.
./configure ; make ; sudo make install
When the DAQ library is built, both static and dynamic module flavors will be generated more on "why" later. If you need to tweak certain options see configure for help, run:
./configure --help

Building Snort
Snort now needs to know where DAQ is installed on the system. If you installed it somewhere other than its default location, you'll need to add some extra switches to configure, for snort to build. If you didn't you can ignore the below, snort's configure should just find the DAQ library and build.
./configure --with-daq-includes=<inc dir>--with-daq-libraries=<lib dir>
If you install the daq-modules in a non standard place make sure your path is updated with the daq-modules location. Snort's ./configure requires running bin/daq-modules-config. This step isn't necessary if daq is installed in the default location. However ldconfig or other system specific commands may or may not need to be run.
PATH=/daq/install/prefix:$PATH
By default, snort will be built with a few static DAQ modules including PCAP, AFPACKET, and DUMP.

Once Snort is built.
To see Snort's available DAQs, run this:
snort [--daq-dir <dir>] --daq-list
The above command searches the specified directory (eg /usr/local/lib/daq) for DAQ modules and prints type, version, and attributes of each. If you just want to see the built-in modules, leave off the --daq-dir.

Output should look something like the following:
Available DAQ modules:
pcap(v2): readback live multi 
unprivnfq(v1): live inline 
multiipq(v1): live inline 
multiipfw(v1): live inline multi 
unprivdump(v1): readback live inline multi 
unprivafpacket(v1): live inline multi unpriv
You can see that 6 DAQs are available, that pcap doesn't support inline mode, that nfq and ipq don't support unprivileged operation, etc.

Configuring Snort
If everything went as planned, snort is now built with DAQ. By default Snort uses the PCAP module for reading files and for sniffing interfaces, so if that is all you do with snort you can stop reading, as it should just work.

However, if you run inline with snort keep reading as there are some new command lines switches and some new usage options.

Here is the full set of DAQ related command line and config file options:
snort [--daq <type>] [--daq-mode <mode>] 
[--daq-dir <dir>] [--daq-var <var>]
config daq: <type>
config daq_mode: <mode>
config daq_dir: <dir>
config daq_var: <var><type> 
::= pcap  afpacket  dump  nfq  ipq  ipfw<mode> 
::= read-file  passive  inline<dir> 
::= path where to look for DAQ module so's<var> 
::= arbitrary <name>=<value> passed to DAQ
Caveats:
  • If daq-mode is not set explicitly, -Q will force it to inline;
  • If daq-mode is not set explicitly, -r will force it to read-file;
  • The defaults daq-mode is passive.
  • Running -Q and --daq-mode inline are allowed, but -Q and any other DAQ mode will cause a fatal error at start-up.

USAGE
The following examples assume you have 3 Ethernet interfaces with management on eth0 and that you intend to pass traffic through your sensor between eth1 and eth2.

Using the PCAP DAQ
PCAP is the default DAQ. If snort is run w/o any DAQ arguments, it will operate as it always did using this module. This is common usage of snort, passive sniffing of an interface or reading back pcap files.

To do this you can use any of the following as they are all equivalent:
snort -i <device>
snort -r <file>
snort --daq pcap --daq-mode passive -i <device>
snort --daq pcap --daq-mode read-file -r <file>
You can also specify the buffer size PCAP if you need to, using:
snort --daq pcap --daq-var buffer_size=<#bytes>
  • NOTE - The PCAP DAQ does not count filtered packets.

Using the AFPACKET DAQ
AFPACKET is the easiest way to setup an inline sensor, additionally it has better performance than the standard PCAP interfaces.

To use AFPACKET in passive mode:
snort --daq afpacket -i <device> 
[--daq-var buffer_size_mb=<#MB>] 
[--daq-var debug]
If you want to run AFPACKET in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon. There is not need to configure a QUEUE or Bridge with AFPACKET you need to up the interfaces and give snort the correct command line.

Syntax for inline pairs
eth0:eth1
eth0:eth1::eth2:eth3
Running inline Snort
ifconfig eth1 promisc up
ifconfig eth2 promisc up
snort --daq afpacket -i eth1:eth2 -Q -c snort.conf
  • By default, the AFPACKET DAQ allocates 128MB for packet memory. You can change the allocation using the buffer_size_mb daq-var. See README.daq for the gory details of that calculation.

Closing
Hopefully that is enough to get you going. See the DAQ distro README as well as Snort's README.daq for more information.

We have already received some positive feedback as well as some pointers on what needs fixing in the beta. Keep the feedback coming and we'll ensure a solid 2.9.0 rollout. Send bugs / features / etc to "bugs <at> snort.org" or join the Snort-Devel and Snort-Users mailing lists and post your thoughts there.

Tuesday, August 10, 2010

Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)

In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.

goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:

KB2286198_help_center_command_line
Pic.1: Help and Support Center

Notice the use of the keyword "crimepack" in the hcp:// request.

In a randomly named file (in this case, "bat.vbsautba" in c:\Documents and Settings\user\Local Settings\Temp the following html can be found:

KB2286198_dropped_file.png
Pic.2: Dropped file with random name

Later, the command line utility is invoked with the following parameters:

KB2286198_cmd_exe.png
Pic.3: cmd.exe called to run script...and kill Windows Media Player

The script that is executed is called D.vbs:

KB2286198_wscript_exe.png
Pic.4: D.vbs

Snort detects this Windows Help Center escape sequence cross-site scripting attempt with sid 16665:

08/09-11:26:49.588645  [**] [1:16665:3] WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.155.12.144:80 -> 10.11.250.196:107608/09-11:26:49.588645 0:1E:13:F0:2E:19 -> 0:C:29:21:50:D5 type:0x8100 len:0x59E213.155.12.144:80 -> 10.11.250.196:1076 TCP TTL:59 TOS:0x0 ID:11527 IpLen:20 DgmLen:1420 DF

ClamAV has got you covered as well with BC.Exploit.CVE_2010_1885.

Rule Release for Today, Tuesday August 10th, 2010

Microsoft Security Advisory MS10-046:
Microsoft Windows Shell contains a vulnerability that may allow a remote attacker to execute code on an affected system.

Previously released rules to detect attacks targeting these vulnerabilities have been updated with the appropriate reference and are included in this release. These are identified with GID 1, SIDs 17042 and 17043.

Microsoft Security Advisory MS10-050:
Microsoft Windows Movie Maker contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17135.

Microsoft Security Advisory MS10-051:
The Microsoft MSXML2 ActiveX control contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17133.

Microsoft Security Advisory MS10-052:
Microsoft Windows Media Player contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17117.

Microsoft Security Advisory MS10-053:
Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17115.

Microsoft Security Advisory MS10-054:
The Microsoft implementation of SMB contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these errors are included in this release and are identified with GID 3, SIDs 17125 through 17127.

Additionally, a previously released rule will also detect attacks targeting these issues and is identified with GID 3, SID 16577.

Microsoft Security Advisory MS10-055:
Microsoft Windows Media Player contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17128.

Microsoft Security Advisory MS10-056:
Microsoft Office Word contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these errors are included in this release and are identified with GID 3, SIDs 17119 through 17124.

Microsoft Security Advisory MS10-057:
Microsoft Office Excel contains programming errors that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting these issues is included in this release and is identified with GID 3, SID 17134.

Microsoft Security Advisory MS10-060:
Microsoft Silverlight contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these errors are included in this release and are identified with GID 3, SIDs 17113 and 17114.

Microsoft Security Advisory MS10-061:
Microsoft .NET contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17115.

Check out the changelogs here: http://www.snort.org/vrt/advisories/2010/08/10/vrt-rules-2010-08-10.html

Tuesday, August 3, 2010

Rule Release for Today, Tuesday August 3rd, 2010

Added and modified multiple rules in the exploit, ftp, imap, mysql, netbios, rpc, specific-threats, sql, web-activex, web-client, web-iis, web-misc and web-php rule sets.

Check here for details: http://www.snort.org/vrt/advisories/2010/08/03/vrt-rules-2010-08-03.html