Astalavista.com, one of the popular hacking and security community website was completely defaced and destroyed by the Anti-Sec group on June 5th. In what so called as one of the most destructive attack of recent times, the Astalavista.com servers were not only hacked but completely ruined by deleting almost everything including backups from the backup servers leaving no chance for recovery.

The attack was carried out by exploiting the remote code execution vulnerability in the LiteSpeed web server which was running the Astalavista show.

The attacker was against the Astalvista for charging the money to join the community and for stealing the exploits from milw0rm. However new note on Astalavista.com cliams otherwise.

Here is the quote that was left behind by the attacker after defacing the site explaining the reason behind the attack.

Why has Astalavista been targeted?
Other than the fact that they are not doing any of this for the “community” but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services. We wanted to see how good that “team of security and IT professionals” really is.

Entire attack has been narrated step by step from defacing the attack to destruction in this very interesting text document.

The game ends with following script…

What a journey! We’re not sure exactly why the “Terminator” had any influence on their naming (conventions) but we’re sure Arnold himself wouldn’t be in the wrong to say this pack of morons *wont be back*.

Everything which has the beginning has an end…!

.

This may sound like another hacking book written to sell, but it is not. This is one such book where author has covered everything from tip to toe of vulnerability exploitation, a complex topic to comprehend, in a simple and practical way.

At a top level this book covers the following topics from security arena…

• Programming
• Exploitation
• Networking
• Shellcode
• Countermeasures
• Cryptography

This book takes the step by step approach to present the art of exploitation to novice and experts alike in a very understandable way. It starts with programming in assembly and C from hacker’s perspective. Then it goes into explaining exploitation techniques along with shell code and networking concepts.  The cryptography section at the end is most commendable as author has great job done in explaining such complex topic in easy to understandable format.

In this second edition, author has introduced new section on Countermeasures which delves into defensive mechanisms against the hacking techniques described earlier in the book. However I liked the cover page of the first edition which had matrix theme.

Overall its the best practical book for any security professional to understand as well as master the art of vulnerability exploitation.

.

FirePasswordViewer is the GUI version of popular FirePassword tool designed to decrypt sign-on secrets stored by Firefox. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.

FirePasswordViewer tool can decrypt and display these secrets on the same lines as the Firefox built-in password manager. The main advantage of FirePasswordViewer is that it does not require Firefox to be running. This is very useful in recovering the sign-on details when Firefox fails to function properly.

Also FirePasswordViewer can be used to display sign-on secrets from different profile (other than current profile) as well as from the different operating system (such as Linux, Mac etc) altogether. This greatly helps forensic investigators who can copy the relevant files from the target system to test machine and view the credentials offline without affecting the target environment. The displayed sign-on information can then be saved to a file in standard HTML format which can be used as valuable and quick offline reference.

For more information and to download FirePasswordViewer, please visit the main page here.

.

Vista has introduced new feature called UAC (User Account Control). In short it basically controls the way in which applications are executed by different users. Due to enforcement of this UAC, by default any application on Vista will run under the context of standard user instead of administrator. As a result the application which requires administrator privilege will fail to work properly on Vista.

So VistaUACMaker is designed to address this problem by making any Windows XP based application compatible with Vista as well as Windows 7.

Newer version comes with more enriched look & feel, making it beautiful tool to use. For more technical details and to download, please visit the main page of VistaUACMaker.

.

SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. Now It comes with advanced spyware scanner which can quickly discovers hidden Rootkit processes as well suspicious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threat levels, which greatly helps in quick identification of malicious DLLs.

One of the unique feature of SpyDLLRemover is its capability to free the DLL from remote process using advanced DLL injection method which can defeat any existing Rootkit tricks. It also uses sophisticated low level anti-rootkit techniques to uncover hidden userland Rootkit processes as well as to terminate them.

Newer version also comes with other cool features such as HTML based report generation, sorting the process/dll list for quick analysis, enhanced user interface etc.

For more features and to download the tool, visit the main page of SpyDLLRemover.

.

BHO stands for Browser Helper Objects which are plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by spyware programs which monitor user’s browsing habits and silently steal the users credentials. Also some of the BHO’s slow down the system considerably.

BHORemover helps in quick identification and elimination of such malicious BHO’s from the system.

Latest version of BHORemover makes it even easier for quick identification between legitimate and malicious ones by providing the option for online verification of BHO file using ProcessLibrary.com. One can also view more details about the BHO by clicking on the ‘properties’ button. In addition to this, the new sorting mechanism makes it easy to sort the entries based on various parameters such as name, company, install date etc. For example, sorting by date will help in quickly finding out the newly installed BHOs, thus saving lot of analysis time.

Along with all these features, the new enhanced look & feel make it cool and light tool for keeping the system away from malicious BHOs.

For more details on BHORemover and downloading this tool, visit the main website.

.

This book is essential for anyone who is into software development to understand the basic security flaws as well as detect & eliminate them during the early development phase of the product itself.  It offers detailed coverage on 19 crucial security flaws each explained in separate chapters.

The book covers following 19 security flaws in each chapter.

• Buffer overruns.
• Format string problems.
• Integer overflows.
• SQL injection.
• Command injection.
• Failure to handle errors.
• Cross-site scripting.
• Failure to protect network traffic.
• Use of magic URLs and hidden forms.
• Improper use of SSL.
• Use of weak password-based systems.
• Failure to store and protect data securely.
• Information leakage.
• Trusting network address resolution.
• Improper file access.
• Race conditions.
• Unauthenticated key exchange.
• Failure to use cryptographically strong random numbers.
• Poor usability.

In each of the chapter authors explain the nature of the sin, sample defect example, techniques for catching it during code review, unit test cases and additional defenses to make the exploitation harder. Code examples are written in most commonly used languages such as C, C++, C#, Java, PHP, Perl, VB etc and on all popular platforms including Windows, Linux, Unix and Mac OS X. This makes it, one of those rare books covering such crucial topic spreading to wide range of audiences.

Written by prominent authors, entire book is filled with rich technical code samples which make it more insightful and valuable resource for all coders out there.

.

While crawling on the net for good list of Windbg commands, I have come across this site which has grouped together all essential commands. This makes it very easy to quickly figure out the required commands while you are deep into debugging…

Here is the link to the page
http://www.windbg.info/doc/1-common-cmds.html

It is also available in the PDF format,
http://www.windbg.info/download/doc/pdf/WinDbg_cmds.pdf

AdvancedWinServiceManager is the Windows Service Management application which can uncover the services hidden by Rootkits. Services normally runs with ’system’ account thus enabling them to perform higher privilege operations which otherwise cannot be performed by normal processes. Because of these advantages, malware applications often implement services to monitor and control the entire system. However as these services can be easily seen, malicious programs use various tricks to hide their services from being discovered and terminated.

In this direction, AdvancedWinServiceManager makes it easy to detect and eliminate such hidden services by using sophisticated anti-rootkit techniques. It also makes it easy to identify malicious services by showing only third party services along with more details such as Company Name, Description, Install Date, File Path etc at one place. All these unique things make it stand apart from built-in ‘Windows Service Management Console’.

Here is the screenshot of AdvancedWinServiceManager detecting the hidden service belonging to HackerDefender Rootkit.

For more information about its features and download, please visit the website page here. Also you can find more technical discussion about hiding services and their detection in the article on ‘Hidden Services Detection’.

Fuzzing is the most powerful and quick method to expose the security flaws in any product. In that direction, this is the first book which attempted to cover all aspects of fuzzing.  Written by prominent authors who mastered this field, the book not only explains the fundamentals but rich with practical examples too.

Authors start with explaining the Fuzzing, automating the tests and then go on explaining in detail various type of fuzzing including web fuzzing, file format fuzzing, network fuzzing, browser fuzzing, in-memory fuzzing etc. It is filled with numerous case studies, each one showcasing the unique vulnerability and its detection using fuzzing technique.

Here is the table of contents of the book

PART I         BACKGROUND

Chapter 1    Vulnerability Discovery Methodologies

Chapter 2    What Is Fuzzing?

Chapter 3    Fuzzing Methods and Fuzzer Types

Chapter 4    Data Representation and Analysis

Chapter 5    Requirements for Effective Fuzzing

PART II      TARGETS AND AUTOMATION

Chapter 6    Automation and Data Generation

Chapter 7    Environment Variable and Argument Fuzzing

Chapter 8    Environment Variable and Argument Fuzzing: Automation

Chapter 9    Web Application and Server Fuzzing

Chapter 10  Web Application and Server Fuzzing: Automation

Chapter 11  File Format Fuzzing

Chapter 12  File Format Fuzzing: Automation on UNIX

Chapter 13  File Format Fuzzing: Automation on Windows

Chapter 14  Network Protocol Fuzzing

Chapter 15  Network Protocol Fuzzing: Automation on UNIX

Chapter 16  Network Protocol Fuzzing: Automation on Windows

Chapter 17  Web Browser Fuzzing

Chapter 18  Web Browser Fuzzing: Automation

Chapter 19  In-Memory Fuzzing

Chapter 20  In-Memory Fuzzing: Automation

PART III    ADVANCED FUZZING TECHNOLOGIES

Chapter 21  Fuzzing Frameworks

Chapter 22  Automated Protocol Dissection

Chapter 23  Fuzzer Tracking

Chapter 24  Intelligent Fault Detection

PART IV     LOOKING FORWARD

Chapter 25  Lessons Learned

Chapter 26  Looking Forward

—————————————————————-

Overall this is the great book to read on at least to find out if the bear is going to catch fish or not…!

.

My new tool, SpyDLLRemover is released on the RootkitAnalytics website. This tool helps in detecting and deleting userland based rootkits which hide the processes and injected modules to prevent their detection from antirootkit softwares.

Here is the snapshot of SpyDLLRemover detecting the hidden process belonging to HackerDefender Rootkit.

Here is another snapshot of SpyDLLRemover detecting the hidden modules/DLLs loaded by Vanquish Rootkit.

Here is the complete feature list of SpyDLLRemover

————————————————————–

• Detect hidden userland rootkit processes using multiple techniques such as

- Direct NT System Call Implementation
- Process ID Bruteforce Method (PIDB) as first used by BlackLight
- CSRSS Process Handle Enumeration Method

• Detect the hidden DLL/module within process by using loaded list traversal technique.
• It uses the direct system calls to perform process related operations which defeats any attempt to hide by userland rootkits.
• Separate out the modules/DLLs based on the various threat levels such as hidden dll, BHO plugin dll, and system dll, AppInit DLL etc that makes it effective to detect malicious modules.
• DLLs are marked with different color based on threat level, which makes it easy and quick to eliminate the spyware DLLs.
• It presents state of art technique for Removing the DLL from Remote Process based on DLL Injection method to completely unload the DLL in just one click.
• Terminate any suspicious or hidden process directly using NT system calls.
• It has integrated online verification mechanism through ProcessLibrary.com to validate any suspcious DLLs.

This makes it easy to differentiate between the spyware & legitimate DLLs.

• Displays detailed information about all running processes on the system

- Process name
- Process Id
- Company Name
- Process Description
- Memory Utilization
- Process Binary Path
- Process File Size
- File Install Date

• Shows detailed information about each loaded DLLs within process to make it easier for manual analysis.

- DLL Name
- Company Name
- Description
- Comment about type of DLL (System, Hidden, Suspicious)
- Load/reference count of DLL
- Loading Type (static/dynamic)
- DLL File Size
- File Install Date
- Base Address of DLL
- Entry point of DLL
- Full DLL File Path

• It is standalone tool which can be executed directly as it does not require any installation.

————————————————————–

For more information and downloading SpyDLLRemover please visit the RootkitAnalytics website.

.

Finally RootkitAnalytics is on the world net now. Rootkit Analytics [RA] - the science of rootkit analysis, is a web-portal sculptured to enhance research, analysis and development of rootkit defense mechanisms.

I am one of the lead member of RootkitAnalytics along with Ryan. Ryan specializes in Linux based rootkit analysis while I focus on Windows rootkits.

With the launch of the website, my new antirootkit tool, SpyDLLRemover is released as well. This tool helps in detecting and deleting  userland based rootkits which hide their processes and injected modules. You can download it from the website.

If you have any suggestions about the website or the SpyDLLRemover tool,  please send it through this feedback page.

.

This is one of the best book written on most complex and interesting topics of computer security, ‘Discovering and Exploiting Security Holes’. It starts with explanation of different classes of security vulnerabilities such as stack overflows, heap overflows and format string bugs. Then it goes on describing the techniques to discover these flaws and then ultimately exploiting them in real world.

Here is the ‘Table of Contents’ of this book

Part 1: Introduction to Exploitation: Linux on x86.

Chapter 1: Before You Begin.
Chapter 2: Stack Overflows.
Chapter 3: Shellcode.
Chapter 4: Introduction to Format String Bugs.
Chapter 5: Introduction to Heap Overflows.

Part 2: Exploiting More Platforms: Windows, Solaris, and Tru64.

Chapter 6: The Wild World of Windows.
Chapter 7: Windows Shellcode.
Chapter 8: Windows Overflows.
Chapter 9: Overcoming Filters.
Chapter 10: Introduction to Solaris Exploitation.
Chapter 11: Advanced Solaris Exploitation.
Chapter 12: HP Tru64 Unix Exploitation.

Part 3: Vulnerability Discovery.

Chapter 13: Establishing a Working Environment.
Chapter 14: Fault Injection.
Chapter 15: The Art of Fuzzing.
Chapter 16: Source Code Auditing: Finding Vulnerabilities in C-Based Languages.
Chapter 17: Instrumented Investigation: A Manual Approach.
Chapter 18: Tracing for Vulnerabilities.
Chapter 19: Binary Auditing: Hacking Closed Source Software.

Part 4: Advanced Materials.

Chapter 20: Alternative Payload Strategies.
Chapter 21: Writing Exploits that Work in the Wild.
Chapter 22: Attacking Database Software.
Chapter 23: Kernel Overflows.
Chapter 24: Exploiting Kernel Vulnerabilities.

————————————————————————————-

The book contains rich set of code examples in every chapter which makes it very useful. Also the discovery and exploitation techniques have been covered in multiple platforms including Linux, Windows, Solaris and Tru64.  In the end it explains some of the advanced topics such as alternate ways of carrying shell code, writing real world exploits, exploiting database and kernel vulnerabilities.

Finally, if you are a fan of Matrix series then this is the book for you….!

.

Lately I have been researching on Windows SFC (System File Checker) mechanism which is used to protect system files against accidental or deliberate modification. I have written about it in more detail as how this technique can be utilized to differentiate between system and normal components.

Today while surfing on the net, I came across very good article which explains how one can disable this SFC protection on the fly. By the way there are many ways (manual ones) exist to defeat the SFC protection but this one describes core method of disabling it based on the analysis of SFC implementation.

Read the detailed article on “Windows File Protection: How To Disable It On The Fly”

.

After I wrote about ‘Detecting System DLL’ some of my friends working on malware analysis asked for any tool which can show if the particular file is protected by SFC mechanism. I could not find any such tool and decided to write my own tool, SFCList.  This tool helps to enumerate all those SFC protected files. It provides filter option which makes it easy to effectively search through thousands of files. It also allows one to verify if the specified file is protected by SFC or not.

Here is the usage of the SFCList tool,

The screenshot below shows listing of SFC protected dll files

You can directly download the SFCList tool from the website.

.

Recently while working on a new tool SpyDLLRemover, I had to separate out the operating system DLLs from others.  To be precise, I needed method to reliably detect malicious DLL among all loaded DLLs of the process.  This requires cornering out the malicious DLL by eliminating legitimate DLLs from the list.

So I came up with various methods of detecting system DLL such as checking if file path belongs to windows or system32 folder, company name is Microsoft, online verification etc.  But none of these are reliable or practical and can easily lead to false positives.

Finally after days of searching around, one fine morning I got lightening strike about SFC (System File Checker) functions.  Sometimes back while removing some spyware from my system, I stumbled upon this SFC stuff. In short, SFC is the mechanism used by Windows to check the integrity of OS core components as well as to protect them from accidental damage.

Windows also provides couple of  API functions to  allow applications to use this SFC functionality. One of the interesting function is SfcIsFileProtected( ) which checks if the specified filename is protected system file or not. This makes it a very reliable method to differentiate system components from others.

Here is the sample code which uses the above mentioned technique to verify if the DLL belongs to system.

#include <sfc.h>
#pragma comment(lib, “sfc.lib”)

if( SfcIsFileProtected(NULL, DLLfilePath) == TRUE )
{
printf(”This is system DLL”);
}
else
{
printf(”This is NOT the system DLL”);
}

This method can also be extended to executable files to find out if the process binary is part of the operating system. However it cannot detect redistributable system components which are copied as part of the application installation.

Still, it makes up a reliable technique to detect system DLLs and separate out the dirty fish from the pond…!

.

Almost every developer knows the cost of using insecure string function such as strcpy which can lead to buffer overflow exploits.  But no one knows the cost of using the secure string functions. Here is just illustration of how much pain it can cause sometimes…

Have a look at the sample code below,

void main()
{
char test[]=”hello”;

//converting text to lowercase
_strlwr_s( test,  strlen(test)  );
}

This is very simple program which converts the text to lowercase using secure version of string function _strlwr_s( ).  Now take a closer look at this program and see if you can sense anything wrong.

Even with eagle eye, everything looks obviously correct in the above program. However it crashes into debugger when executed. Surprised ???

I was surprised indeed, how can such simple straight code lead to crash. I was wondering if something wrong with its implementation itself.

Beaten down by the crash and curious at the same time, I decided to find it out. I had used this code in the big project and it took me a while to narrow down the crash location to _strlwr_s( ) function.  I tried couple of tweaks here and there to see if I can quickly figure out, nothing worked as usual .  It was crashing into Windbg which I had registered as default debugger.

Finally I started with traditional debugging with debug version and it asserted as shown below…

See the fun here, it is complaining ‘String is not null terminated’.  Naturally I looked at the code to make sure that string is null terminated and it is perfect as you can see. Then I checked the MSDN documentation for strlwr function which was like below

errno_t _strlwr_s( char *str, size_t sizeInBytes );

Then it suddenly striked me that the problem was with the second parameter ’sizeInBytes’ which refers to total size of string buffer rather than just string length as in normal string functions…!

Finally I corrected it by passing the size of the string as parameter instead of string length.

_strlwr_s( test, strlen(test)+1 );

This may appear to be classical case of overlooking, but this is what happens when things change even slightly from the standard behavior.

 

 

 
.

Now a days it is very common get infected even if you have best antivirus software installed with latest signatures. One of the main reason being is the rise in new category of viruses which does not belong to any previously detected virus families. Also the virus writing has become money making business rather than just for fun as in olden days. As a result there is high chance that your machine is controlled by virus even in the presence of antivirus software. This is true especially when the particular virus is not mass spread and lesser known. In such cases online virus analysis comes to rescue.

The best part of these online analyzers is that suspicious file will be scanned by more than one vendor database leading to greater chance of detection. Now there are lot of websites which provide free online virus scanning service. Currently VirusTotal.com and VirScan.org provide the best service using the database from top antivirus vendors.

Here are some of the websites which provide online virus analysis.

http://www.virustotal.com/
http://www.virscan.org/
https://www.microsoft.com/security/portal/submit.aspx
http://www.offensivecomputing.net/
http://research.sunbelt-software.com/submit.aspx
http://www.kaspersky.com/scanforvirus
http://www.threatexpert.com/submit.aspx
https://www.webimmune.net/default.asp
http://anubis.iseclab.org/index.php
http://uploads.malwarebytes.org/

Though all of these websites provide free virus scanning service some of them have limitations such as upload size limit, user registration etc. But in the end when your antivirus fails to serve its purpose, online analysis is the way to go…!

.

This is the incredible book ever written on darkest area of computer security world. Authors have done splendid job in presenting the most mysterious subject of computer security in very simple and easy to understandable format.

Here is the detailed table of contents….

………………………………………………………………………………………………………….

1. Leave No Trace.

Understanding Attackers’ Motives.

What Is a Rootkit?

Why Do Rootkits Exist?

How Long Have Rootkits Been Around?

How Do Rootkits Work?

What a Rootkit Is Not.

Rootkits and Software Exploits.

Offensive Rootkit Technologies.

2. Subverting the Kernel.

Important Kernel Components.

Rootkit Design.

Introducing Code into the Kernel.

Building the Windows Device Driver.

Loading and Unloading the Driver.

Logging the Debug Statements.

Fusion Rootkits: Bridging User and Kernel Modes.

Loading the Rootkit.

Decompressing the .sys File from a Resource.

Surviving Reboot.

3. The Hardware Connection.

Ring Zero.

Tables, Tables, and More Tables.

Memory Pages.

The Memory Descriptor Tables.

The Interrupt Descriptor Table.

The System Service Dispatch Table.

The Control Registers.

Multiprocessor Systems.

4. The Age-Old Art of Hooking.

Userland Hooks.

Kernel Hooks.

A Hybrid Hooking Approach.

5. Runtime Patching.

Detour Patching.

Jump Templates.

Variations on the Method.

6. Layered Drivers.

A Keyboard Sniffer.

The KLOG Rootkit: A Walk-through.

File Filter Drivers.

7. Direct Kernel Object Manipulation.

DKOM Benefits and Drawbacks.

Determining the Version of the Operating System.

Communicating with the Device Driver from Userland.

Hiding with DKOM.

Token Privilege and Group Elevation with DKOM.

8. Hardware Manipulation.

Why Hardware?

Modifying the Firmware.

Accessing the Hardware.

Example: Accessing the Keyboard Controller.

How Low Can You Go? Microcode Update.

9. Covert Channels.

Remote Command, Control, and Exfiltration of Data.

Disguised TCP/IP Protocols.

Kernel TCP/IP Support for Your Rootkit Using TDI.

Raw Network Manipulation.

Kernel TCP/IP Support for Your Rootkit Using NDIS.

Host Emulation.

10. Rootkit Detection.

Detecting Presence.

Detecting Behavior.

………………………………………………………………………………………………………….

This is highly technical book which goes from basics to advanced topics of rootkits. It starts with explaining what rootkit is and what it is not. In second chapter, it describes the basics of kernel driver and then gets into explaining more detailed techniques for rootkit injection, covert channels, DKOM, various hooking mechanisms including userland, kernel and hybrid methods.  It also sheds light on hardware aspect of rootkits such as playing firmware/hardware by using the example of keyboard controller.  Last chapter briefly describes about various ways of detecting the rootkits.

Though the authors have not covered much on rootkit detection, overall this book presents enough information for novice person to master the darkest secrects of computer security.

If you are the person who lives in binary world and black is your favourite color then this is the  book for you…!

.

Today I have received my first print copy of HAKIN9 magazine along with awesome T-Shirt. It is just amazing feeling to have stuff like this in my hands, its like mother holding her first baby.

Hakin9 is the hardcore computer security magazine which exposes the top secrets straight from the field. Written by some of the prominent personalities who have proven their expertise in the security world. It offers an in-depth look at both attack and defense techniques and concentrates on difficult technical issues. Mainly targeted for IT security professionals and system managers, it provides great insight for students & hobbyists.

Initially released as online magazine, now its available in print form too. Indian readers can order it through the ETA website and you will receive nice T-shirt with one year subscription

Happy Hakin9

.