DllHijackAuditor is the FREE tool to Audit against the  DLL Hijacking Vulnerability for any Windows application. This is recently discovered critical security issue affecting almost all Windows systems on the planet. It appears that large amount of Windows applications are currently susceptible to this vulnerability which can allow any attacker to completely take over the system.

.

In this direction, DllHijackAuditor helps in discovering all such Vulnerable Dlls in a Windows application which otherwise can lead to successful exploitation resulting in total compromise of the system. With its simple GUI interface DllHijackAuditor makes it easy for anyone to instantly perform the auditing operation. It also presents detailed technical Audit report which can help the developer in fixing all vulnerable points in the application.

.

.

Here are some of the prominent features of DllHijackAuditor

• Directly & Instantly audit any Windows application.
• Allows complete testing to uncover all Vulnerable points in the target application
• Generates complete Auditing report (in HTML format) about all vulnerable hijack points in the Application.
• GUI based tool, makes it easy for anyone with minimum knowledge to perform the auditing operation.
• Does not require any special privilege for auditing of the application (unless target application requires)
• Free from Antivirus as it does not use any shellcodes or exploit codes which trigger Antivirus to terminate the operation.
• Application does not have to be registered with any file extension.
• Does not require any external third party tools
• No installation is required., you can just copy and run anywhere.

.

This tool works on the similar 2 phase lines of operations as that of DllHijackAuditKit by HD Moore. Though it was great tool kit for sweep scanning of all applications, I found some limitations with it. Mainly it helped with applications which are associated with any extension.  So naturally applications which are currently not associated with any extension, were not tested by this toolkit.  Also only launch time auditing was done, there was no scope for auditing all points in the application.

So I  found the strong need for the special tool which will help any one to test a particular application completely and also providing detailed Audit report which will further assist in fixing all the Dll Hijack vulnerability in the application.  This is the story behind the birth of DllHijackAuditor.

.

I would like to thank EvilFingers who ignited the spark with above idea to create such a tool and regards to HD for paving the path with his smart work on DllHijackAuditKit.

.

For more information and to Download, visit the main page of DllHijackAuditor.

.

We welcome any bug reports/suggestions/feeedbacks on this tool.

.

.

.

SpyBHORemover (previously called BHORemover) is the advanced tool to explore and eliminate malicious BHO’s from the system. BHO stands for ‘Browser Helper Objects’ which are plugins written for ‘Internet Explorer’ to enhance its capabilities. Often this feature is being misused by many spyware programs to monitor user’s browsing habits and to steal the users credentials silently. Also some of the BHO’s slow down the system considerably.

SpyBHORemover helps in quick identification and elimination of such spy BHO’s present in the system. It not only performs heuristic based threat analysis but also provides online threat verification mechanism which makes it easy to differentiate between legitimate and malicious BHOs.

.

.

Current version 2.5 presents following features,

• Showing all the running processes haviing the selected BHO DLL along with option to Kill such process or Remove BHO DLL from it.
• Improved Threat Analysis with better heuristics.
• ‘Right Click Popup Menu’ option for all the lists for quick execution of desired action.
• Enhanced user interface with couple of bug fixes including ‘Jump to Registry’ fix on Windows 7

.

For more information and to download, please visit SpyBHORemover home page.

.
.

The web is full of recent DLL Hijacking Exploit after HDMoore and other security researchers have reported about numerous Windows applications suffering  from these flaws.  Here I have decided to put together simple version with all the relevant links at one place so that one gets the complete picture.

.

What is DLL Hijacking Vulnerability ?

In simple words, DLL Hijacking is the vulnerability which can be used to make any vulnerable Windows application to load malicious DLL by exploiting its DLL search order mechanism there by taking complete control over the system. Attacker can trick the user to open the documents/video/movies from the remote share where user can place malicious version of legitimate DLL. So when user launches the application to view such remote content, application will load these malicious DLLs instead of original DLL.

This issue is not new and has been there since the early days of Windows, but it has gained more limelight while researchers discover more number of applications vulnerable to it though various mechanisms. Though Microsoft has documented about these implications in the MSDN, there are many vulnerable applications around.

.

How it Works ?

Here is the very good video demonstration created by Offensive-Security which explains how one can easily lure victims to fall for this exploit using Metasploit.

KB: We can’t fix this one – Microsoft DLL Hijacking Exploit from Offensive Security on Vimeo.

.

What is the Workaround/Solution ?

Microsoft has released an Security Advisory citing this problem and mentioning about these mitigations

• Disable loading of libraries from WebDAV and remote network shares
• Disable the WebClient service
• Block TCP ports 139 and 445 at the firewall

Microsoft has also introduced new registry key CWDIllegalInDllSearch to safeguard individual or All applications from this vulnerability. Below is the link to KB article

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

.

What Developers Can do  to Safeguard their Applications ?
Microsoft has outlined several security measures for Developers to prevent this remote DLL loading vulnerability.  Here is the article which explains everything about DLL Security mechanisms,

Dynamic-Link Library Security

.

How can I play with this DLL-Hijacking Vulnerability ?

Metasploit has already released ‘webdav_dll_hijacker’ exploit to pen test against this DLL Hijacking vulnerability which can be further used to understand and demonstrate this vulnerability. Here is the blog article from Metasploit which explains the entire exploitation process,

Exploiting DLL Hijacking Flaws

Even you can refer to above video presentation to understand how it works before you play with it.

.

.
.

VASTO is the first of its kind toolkit designed to asses the security of various Virtualization solutions including VMWare and Xen server.  It is implemented as set of modules which can be integrated into Metasploit , the popular penetration testing framework.  This makes it very easy for pen testers to directly integrate VASTO with their existing Metasploit framework and start using it on the fly without any or few changes.  It has been tested with latest Metasploit version 3.4.2 on Ubuntu Linux and it is expected to work on all other platforms supported by Metasploit.

The latest version of VASTO 0.3 which was showcased in the recent BlackHat 2010 promises a great deal on Virtualization front as there are very few tools available for penetration testing of these appliances

Here is the short video demonstration of fingerprinting VMware Server using VASTO’s “vmware_version.rb” module,

.

With Virtualization taking high off across the computer industry, there is bulging need for scrutinizing  Virtualization security.  In this direction,  tools like VASTO looks more promising.

Here is the brief update on upcoming release of SpyDLLRemover. Most of the major work highlighted in our previous blog post has been completed and only some final art work is left out.

Below is the fresh glimpse of new banner which is going to replace old one. Just being the old, other reason for change was the spider icon in the previous banner which some people were allergic about. New banner symbolizes the splendid blue colored icon along with RootkitAnalytics logo on the right side. Let us know what you think about it.

Here is the status about previously highlighted work,

• Advanced Online Threat Verification using VirusTotal, ThreatExpert and Process Library
  
• Fully Re-sizable window for better usability and analysis
  
• Right click context menu option to quickly choose the right actions such as remove dll, kill process, online verification, open folder, open file in various editor, view properties etc
• Improved Auto-Analysis which will significantly reduce the manual analysis.
• Enhanced look & feel with new banner (no spider now ) , new icon , smaller buttons, better icons etc.
• Option to open the DLL/EXE with Notepad, WordPad, UltraEdit or any of your favorite application (such as PEditor) for extended analysis.
• New options dialog to control general settings.
  

All green marked work actions are completed and work is going on full swing on the red items. In addition to there is lot more work to be done on fixing various bugs including some of the annoying ones. Improved auto analysis is going to help the user by reducing the number of analysis items during the scan.Also advanced threat verification with online portals such as VirusTotal, ThreatExpert and ProcessLibrary will immensely help in distinguish between good and malicious threats.

If you have any suggestions which can improve and quick one, then we can take it into the release. Either way do send your suggestions and feedbacks.

This major release is scheduled for the end of the this month, but I am expecting it to be cut out early provided stars continue to shine in the sky.

.

We are vigorously working on next major version of SpyDLLRemover which will bring out the best changes that our users have been looking for since the beginning. We have received lot of feedbacks directly as well as through various forums mentioning about improvements in SpyDLLRemover.

One of the most asked enhancement was the ‘Re-sizable Window feature’ which will make up for better user experience and greatly helps in quicker & hassle-free analysis. Another was the improvement in ‘Auto-Analysis’ to reduce the number of items listed under ‘need analysis’ section.

Here is the snapshot (at current development stage) of enlarged view of SpyDLLRemover (click on the image to see the bigger view)

This newer version brings all those changes in addition to lot of other special features, Here are some of the prominent enhancements that will be presented in our upcoming SpyDLLRemover version,

• Advanced Online Threat Verification using VirusTotal, ThreatExpert and Process Library
• Fully Re-sizable window for better usability and analysis
• Right click context menu option to quickly choose the right actions such as remove dll, kill process, online verification, open folder, open file in various editor, view properties etc
• Improved Auto-Analysis which will significantly reduce the manual analysis.
• Option to open the DLL/EXE with Notepad, WordPad, UltraEdit or any of your favorite application (such as PEditor) for extended analysis.
• Enhanced look & feel with new banner (no spider now ) , smaller buttons, better icons etc.

Most of these enhancements are currently in development stages and we are expecting it to be completed by the end of this month. If you are looking for any specific enhancements, please send across and we can see if we can put it in for this release itself.

Keep watching this space for more news…until then visit the main portal, RootkitAnalytics.com

Today morning I have got surprise email from BackTrack team asking for consent to include our tools on BackTrack.They have also expressed interest to include some of our upcoming Linux versions such as FireMasterLinux.  All these will be part of BackTrack repository and will be shipped in the next major release of BackTrack.

BackTrack is most popular and loved Linux security distribution around the world. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. It is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date.

Update [30th July 2010]:

Today I have received email from BackTrack team confirming that they have already added all of the password recovery tools from SecurityXploded to their repository.  Here are the list of password recovery tools which are added to the repository under package name ‘windows-password-recovery-tools’

• ChromePasswordDecryptor
• Firemaster
• FirePassword
• FirePasswordViewer
• GooglePasswordDecryptor
• IEPasswordDecryptor
• OperaPasswordDecryptor
• OutlookPasswordDecryptor
• ThunderbirdPasswordDecryptor
• NetworkPasswordDecryptor

Update [6th Aug 2010]:

I have just received information from BackTrack team that all the password recovery tools have now been put into BackTrack 4 R1 Release.

All existing users of BackTrack can now access all of these password recovery tools from SecurityXploded directly from the BackTrack repository.  All of these tools will be integrated into next major release of BackTrack.  Great thanks to the BackTrack team for making this happen, its great moment for us.

It is great privilege for us to have our tools on BackTrack and for our users its great to have their favorite tools at one place where ever they go on the earth.

.

This was more or less surprise release as it was never intended to be separate tool as such.  It was in fact to be part of the FirePasswordViewer since Thunderbird and Firefox uses identical password storage mechanism except few minor differences.  As I was putting the changes for Thunderbird into FirePasswordViewer, I realized that its going to be clumsy and confusing for the end users too.  So at the last minute, I decided to create separate tool for Thunderbird itself and there we have ThunderbirdPassDecryptor.

ThunderbirdPassDecryptor, is the FREE tool to recover email account passwords stored by Thunderbird, a popular email client application. It is the standalone tool and works on all windows platforms starting from Windows XP to Windows 7. The password recovery is almost same as explained in the FirePasswordViewer, except Thunderbird has different profile location.

To know more about how it works and to download the tool, visit the main page of  ThunderbirdPassDecryptor.

.

Other day while I was crawling through the books at the local book mall,  I just ran into this book.  Immediately I popped up amazon site on my cell to check the ratings and found that its rated 4.5 (out of 11 ratings) which is a signal for must buy.  Cloud computing being the hot topic in the IT industry today, I bought this book without giving it second thought and it turned out to be worth it.

Cloud computing and Virtualization are buzzing factors of tech world today and lot of techno geeks trying to harbor as much information as possible so that they can be on top of it. As it is relatively new word around the city, lot of people still have vague idea about practicality of cloud computing and its security/privacy aspects.  This book is set to clear those weeds out and bring more light into the subject from the perspective of reality.

Here is the Table of Contents of the book,

Chapter 1    Introduction

Chapter 2    What Is Cloud Computing?

Chapter 3    Infrastructure Security

Chapter 4    Data Security and Storage

Chapter 5    Identity and Access Management

Chapter 6    Security Management in the Cloud

Chapter 7    Privacy

Chapter 8    Audit and Compliance

Chapter 9    Examples of Cloud Service Providers

Chapter 10    Security-As-a-[Cloud] Service

Chapter 11    The Impact of Cloud Computing on the Role of Corporate IT

Chapter 12    Conclusion, and the Future of the Cloud

Appendix     SAS 70 Report Content Example

Appendix     SysTrust Report Content Example

Appendix     Open Security Architecture for Cloud Computing

The book starts with basics,  What is cloud computing?  this is the good and required beginning for any book of this kind as it helps not only professionals but also new comers to understand the subject from the ground zero. The book goes on explaining basic concepts revolving around cloud computing and its various service models.

Next it delves into main topics of cloud security surrounding all 3 models of cloud computing,  SaaS (Software-As-A-Service), PaaS (Platform-As-A-Service) and IaaS (Infrastructure-As-A-Service). Later chapters addresses  privacy concerns on the cloud including cloud auditing.  There is one chapter which explains all the big players in cloud computing space and explains what type of services\technologies being offered by them. The short chapter on Security-As-A-Service is interesting, it describes how cloud computing can be extended to provide various security services such as email filtering, web content filtering, virus scanning etc.

Being one of the first book on the cloud security,  this book gets full marks for doing the complete justice to the title by explaining it in detail and in simple terms.  A much needed book for the current infosec professionals to understand and expand their earthly security horizons on to the cloud.

This is a must read book for anyone either novice or expert who wants to know everything about cloud computing and its security paradigm.

Ebook Link: http://www.megaupload.com/?d=XM6EDN7B