Thursday, 9 August 2012

Malware Infection: Live Security Platinum


I use a notebook computer sometimes and at the weekend I found I was infected with a fake anti-virus program.  This is a good opportunity to practice an investigation and find out as much about the malware as I can. I am going to write a series of blogs detailing what I have found out.

I’m not exactly sure how I became infected as I visited a number of sites during the weekend which were mostly relating to security matters. My notebook does not have anti-virus installed and I first noticed something strange when an Adobe Flash player update message appeared. The box displayed looked the same as the normal Flash updater but when I clicked “install” an error message appeared saying that the version I was installing was not up to date. I clicked cancel and then almost immediately Windows began to appear warning me that I had numerous malware examples installed and I should visit a certain site to install anti-virus software.

The malware has interfered with the running of many programs and I cannot run a command prompt or regedit and therefore cannot immediately run programs to examine what is happening on the notebook.

Some Internet research reveals that this is a new strain of what is a very common attack. Some articles relating to this malware can be found here


The descriptions in these articles match the symptoms I have been experience exactly.
I plan to make a copy of the hard drive for static analysis and hopefully find some way to dump the RAM.

Tuesday, 3 July 2012

Excellent Penetration Testing Book


 Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Author: Lee Evans
ISBN: 978-1849517744

   This is not a complete book review because I have not finished reading it yet. However so far I am impressed with the intelligent way in which the content is presented. Each subject is explained in detail with examples of tool output. Quite often books present a brief discussion of tools which can be valid but I find this book presents the information in more detail allowing the reader to become more involved.

  For instance during the Reconnaissance phase the author discusses the tool Nslookup and shows the basic commands and their purpose and output.  The discussion then goes on to present ways of including scripting into the process and I feel rather than giving an overview of a range of tools the book contributes by examining a few in greater detail. It feels more satisfying in my view.

  Another aspect I like is that the author includes some excellent tips for finding out more information. For instance when discussing DNS zone transfers, which are difficult to practice in the real world, the author includes a reference to the site which has been specially set up to demonstrate the possible security risks involved.


It’s also a good read and I am enjoying it!

Tuesday, 13 December 2011

Keeping up with Security News

I went to an interview yesterday and they asked me what I did to keep myself up to date with security news. This is a good question and I thought I would just review some of the methods of keeping abreast with threats and news etc. This list is by no means complete and is just a taster of what is available.

Malware

Kaspersky provide a monthly bulletin of malware statistics and attack vectors.  Descriptions are included of top malware threats and also statistics relating to the top attacks and countries that are the top sources of malware.
McAfee provide this page which contains the latest malware threats and also headline links to other sites such as SANS and InfoWorld.
Trend Micro provide a Threat Encyclopaedia page with information about vulnerabilities, spam and malicious URLs.
Security Incidents and Vulnerabilities

US-Cert provides a list of reported security incidents. Many of these updates can be added to a Yahoo home page for convenience.
Microsoft Security Bulletins are available monthly and a webcast is available with a summary.
It is also possible to sign up for emails and feeds for a range of security alerts.
SANS provides a range of newsletter options including NewsBites and more detailed vulnerability news.
General Web Sites relating to Security 

http://searchsecurity.techtarget.com/   This is a general web site focusing on IT Security with some good resources on topics such as PCI DSS and certification. Registration is required to view some articles and I find this slightly annoying sometimes.
http://www.darkreading.com/ A good general site with a wide range of topics covered.
http://computer-forensics.sans.org/blog A blog on forensics and much more besides. It includes news updates and a range of resources on forensic techniques.
http://www.dfinews.com/ A general Digital Forensic news site. It is possible to subscribe to a newsletter with general forensic news.
This is just a selection and there are also a huge number of useful blogs available on all aspects of forensics and security.



Friday, 25 November 2011

Security Book Corner


Professional Penetration Testing
Author: Thomas Wilhelm
Publisher: Syngress
ISBN-13: 978-1597494250

 This week I have been reading this excellent introduction to penetration testing. The book provides an introduction to formal methodologies such as ISSAF and OSSTMM as well as the nitty gritty on how to conduct a pen test.  

  What I like best is the way is that the content is presented so the reader can follow along and the author points out ins and outs of using various techniques. This prevents the book from being a dry how to do it manual. The author also puts techniques within the context of a real penetration test and project management and this contributes to the professional approach of the book.

 The author uses the labs Hackerdamia and De-Ice that are available on the dvd or can be downloaded from the web site http://heorot.net. These can be used to practice techniques upon. I have installed Hackerdamia and Backtrack on a VM and it is very easy to set up and use.

Thursday, 24 November 2011

Evidence of Nmap in Wireshark files

I’ve just spent the morning looking at Nmap and evidence of an Nmap scan in Wireshark.
The default scan for Nmap is a SYN scan. The packet sent has the SYN flag set and begins the first part of the TCP handshake. If the target host replies with a SYN/ACK packet the Nmap tool replies with a RST/ACK and the TCP connection is not completed. However Nmap then knows that if a response is received the service or port is open.
The image below shows this process with the SYN bit set in the packet. The key characteristics of evidence of a SYN are the repeated packets sent to one host and the repeated replies of RST,ACK.

Image of Nmap SYN scan

 
The TCP Connect Scan completes the full TCP handshake if the particular service is running as shown in the image below.

Image of Nmap Connect Scan

If the service is not running then a RST/ACK is received. Visually the pcap will show repeated SYN messages sent to a target host and its clear ports and services are being numerated.
A Null Scan in Nmap results in packets with none of the TCP flags set repeatedly being sent to the target host. This is illustrated in the image below

Image of Nmap Null Scan



A good resource for the purpose of these scans and how they can be detected by firewalls etc can be found at http://nmap.org/bennieston-tutorial/


Thursday, 13 October 2011

Emerging from a Master’s degree

I have just finished my master's degree and have been taking a few weeks break.  I'm keen though to find out what has been going on whilst I've had my head in articles and books about rootkits. I've been looking on the web for some good resources. I've come across a really good series of investigations entitled “CSI:Internet”.  This is a series of investigations on malware and other Internet problems.  They are excellent step by step accounts with details of the tools used and also enjoyable reads.  Good for learning and also relaxing. This is the link:

Friday, 22 July 2011

Key Figure in Security Research: Dr Fred Cohen

Fred Cohen is the researcher who is credited with defining the term “Computer Virus” and has done an incredible amount of research into computer and security related issues.  He is now working with the California Sciences Institute.
The web site at http://calsci.org/  is well worth a visit as it has articles and presentations on security and forensic issues.  Follow the links to Faculty and then Dr Fred Cohen and then to the external site. (They use frames)
 Also on the library page at the bottom there is a series of games on security issues.
The site is well worth exploring for information.