Monday, January 25, 2010

Brigthtalk : Practical VM Security Technique

I just finish the webcast in Brightalk, entitled : Practical VM Security Technique. http://www.brighttalk.com/webcasts/7992/play

I found some of these interesting :

-Domain VHD Audit script
- connect to domain
- collect list of all computers
- connect to each computer and list all VHD, VMDK, and files over 800mb
-http://download.chriswolf.com

-VMware VI 3.5 security hardening
-http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf

- To sniiff VM-VM traffic, connecting a IDS VM to a promiscous mode virtual switch mode

- VMware VMsafe APIs

- VM traffic inspection,monitoring usually not done by organisation, the traffic is blind.

- Trend Micro approach to secure VM
1. local agent based to protect VM
2. Security VM that protect VM from outside
- Anti-malware scanning vm
- Instrusion Defense vm

Wednesday, January 20, 2010

Show Java Crypto Provider

Recently I work on the project that need to use JCE library and Bouncy Castle Crypto library. After that library instation, we need to check the crypto provider that available in jre

Code as below :

import java.security.*;

class ShowCryptoProviders
{
public static void main(String []args)
{ Provider [] providers = Security.getProviders();

for(int i=0; i less than providers.length; i++)
{
System.out.println(providers[i]);
}
}
}



The console output :

SUN version 1.6
SunRsaSign version 1.7
SunJSSE version 1.6
SunJCE version 1.7
SunJGSS version 1.0
SunSASL version 1.5
XMLDSig version 1.0
SunPCSC version 1.6
BC version 1.45


These result exactly the same with /etc/java-6-openjdk/security/java.security

# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider

Friday, January 8, 2010

PE Section md5 - pe-sig ruby script

For malware analysis, PE section md5 surely much efficient than the normal file md5. pe-sig is a Ruby script which can be used to calculate the PE section md5 by using the metasploit library function. The script may download from SourceFire blog http://vrt-sourcefire.blogspot.com/2009/03/generating-virus-signatures-automated.html

I have tested the script with Metasploit 3.3.3 (the latest version), 3.2 and 3.0. It failed to execute correctly and error as shown :

./pe-sig:44: undefined method `sigs' for #Rex::PeScan::Analyze::Fingerprint:0xb7d1ac38> (NoMethodError)
from ./pe-sig:33:in `each'
from ./pe-sig:33

With the following modication, this pe-sig may executed correctly :
- add these after the 'require' part

module Rex; module PeScan; module Analyze; class Fingerprint; attr_accessor :sigs; end; end; end; en

The snippet of code will be

require 'digest/md5'
require 'rex/peparsey'
require 'rex/pescan'
module Rex; module PeScan; module Analyze; class Fingerprint; attr_accessor :sigs; end; end; end; end

# location of your local signatures
local_sigs = 'signatures.txt'

( Special thanks to neo1 and bmc in #clamav for the help)

Saturday, January 2, 2010

Analysis on Win32.Viking.b

The sample i got from vx.netlux.org, Win32.Viking.b. It is an oldies in the age. Let it running in the vm after some baseline process.

Here the result :
Once the execution, it creates a new file Logo1_.exe.

File: Logo1_.exe
Size: 57344 Bytes
MD5: 4B76AAA70F11A65EE48ACAA886C823DE

Processes:
PID ParentPID User Path
1764 1228 HOME-B0E0982E28:Administrator C:\WINDOWS\Logo1_.exe

The registry key that affected :

RegKeys
--------------------------------------------------
SOFTWARE\Borland\Delphi\RTL
Software\Soft\DownloadWWW\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Soft\DownloadWWW\

The PE header info (From perdr)

The import section

DLL: kernel32.dll
Addr: 000180DC hint: 0(0000) Name: DeleteCriticalSection
Addr: 000180E0 hint: 0(0000) Name: LeaveCriticalSection
Addr: 000180E4 hint: 0(0000) Name: EnterCriticalSection
Addr: 000180E8 hint: 0(0000) Name: InitializeCriticalSection
Addr: 000180EC hint: 0(0000) Name: VirtualFree
Addr: 000180F0 hint: 0(0000) Name: VirtualAlloc
Addr: 000180F4 hint: 0(0000) Name: LocalFree
Addr: 000180F8 hint: 0(0000) Name: LocalAlloc
Addr: 000180FC hint: 0(0000) Name: GetVersion
Addr: 00018100 hint: 0(0000) Name: GetCurrentThreadId
Addr: 00018104 hint: 0(0000) Name: WideCharToMultiByte
Addr: 00018108 hint: 0(0000) Name: MultiByteToWideChar
Addr: 0001810C hint: 0(0000) Name: GetThreadLocale
Addr: 00018110 hint: 0(0000) Name: GetStartupInfoA
Addr: 00018114 hint: 0(0000) Name: GetModuleFileNameA
Addr: 00018118 hint: 0(0000) Name: GetLocaleInfoA
Addr: 0001811C hint: 0(0000) Name: GetCommandLineA
Addr: 00018120 hint: 0(0000) Name: FreeLibrary
Addr: 00018124 hint: 0(0000) Name: ExitProcess
Addr: 00018128 hint: 0(0000) Name: WriteFile
Addr: 0001812C hint: 0(0000) Name: UnhandledExceptionFilter
Addr: 00018130 hint: 0(0000) Name: RtlUnwind
Addr: 00018134 hint: 0(0000) Name: RaiseException
Addr: 00018138 hint: 0(0000) Name: GetStdHandle

DLL: user32.dll
Addr: 00018140 hint: 0(0000) Name: GetKeyboardType
Addr: 00018144 hint: 0(0000) Name: MessageBoxA
Addr: 00018148 hint: 0(0000) Name: CharNextA

DLL: advapi32.dll
Addr: 00018150 hint: 0(0000) Name: RegQueryValueExA
Addr: 00018154 hint: 0(0000) Name: RegOpenKeyExA
Addr: 00018158 hint: 0(0000) Name: RegCloseKey

DLL: oleaut32.dll
Addr: 00018160 hint: 0(0000) Name: SysFreeString
Addr: 00018164 hint: 0(0000) Name: SysReAllocStringLen
Addr: 00018168 hint: 0(0000) Name: SysAllocStringLen

DLL: kernel32.dll
Addr: 00018170 hint: 0(0000) Name: TlsSetValue
Addr: 00018174 hint: 0(0000) Name: TlsGetValue
Addr: 00018178 hint: 0(0000) Name: LocalAlloc
Addr: 0001817C hint: 0(0000) Name: GetModuleHandleA

DLL: advapi32.dll
Addr: 00018184 hint: 0(0000) Name: RegSetValueExA
Addr: 00018188 hint: 0(0000) Name: RegQueryValueExA
Addr: 0001818C hint: 0(0000) Name: RegOpenKeyExA
Addr: 00018190 hint: 0(0000) Name: RegCreateKeyExA
Addr: 00018194 hint: 0(0000) Name: RegCloseKey
Addr: 00018198 hint: 0(0000) Name: LookupAccountSidA
Addr: 0001819C hint: 0(0000) Name: LookupAccountNameA
Addr: 000181A0 hint: 0(0000) Name: GetSidSubAuthorityCount
Addr: 000181A4 hint: 0(0000) Name: GetSidSubAuthority
Addr: 000181A8 hint: 0(0000) Name: GetSidIdentifierAuthority
Addr: 000181AC hint: 0(0000) Name: FreeSid
Addr: 000181B0 hint: 0(0000) Name: AllocateAndInitializeSid

DLL: kernel32.dll
Addr: 000181B8 hint: 0(0000) Name: WriteProcessMemory
Addr: 000181BC hint: 0(0000) Name: WriteFile
Addr: 000181C0 hint: 0(0000) Name: VirtualFreeEx
Addr: 000181C4 hint: 0(0000) Name: VirtualAllocEx
Addr: 000181C8 hint: 0(0000) Name: TerminateProcess
Addr: 000181CC hint: 0(0000) Name: SuspendThread
Addr: 000181D0 hint: 0(0000) Name: SizeofResource
Addr: 000181D4 hint: 0(0000) Name: SetThreadContext
Addr: 000181D8 hint: 0(0000) Name: SetLastError
Addr: 000181DC hint: 0(0000) Name: SetFileTime
Addr: 000181E0 hint: 0(0000) Name: SetFilePointer
Addr: 000181E4 hint: 0(0000) Name: SetFileAttributesA
Addr: 000181E8 hint: 0(0000) Name: ResumeThread
Addr: 000181EC hint: 0(0000) Name: ReadFile
Addr: 000181F0 hint: 0(0000) Name: OpenProcess
Addr: 000181F4 hint: 0(0000) Name: MapViewOfFile
Addr: 000181F8 hint: 0(0000) Name: LockResource
Addr: 000181FC hint: 0(0000) Name: LoadResource
Addr: 00018200 hint: 0(0000) Name: LoadLibraryA
Addr: 00018204 hint: 0(0000) Name: IsBadReadPtr
Addr: 00018208 hint: 0(0000) Name: GlobalFree
Addr: 0001820C hint: 0(0000) Name: GlobalAlloc
Addr: 00018210 hint: 0(0000) Name: GetWindowsDirectoryA
Addr: 00018214 hint: 0(0000) Name: GetVersionExA
Addr: 00018218 hint: 0(0000) Name: GetThreadContext
Addr: 0001821C hint: 0(0000) Name: GetTempPathA
Addr: 00018220 hint: 0(0000) Name: GetTempFileNameA
Addr: 00018224 hint: 0(0000) Name: GetProcAddress
Addr: 00018228 hint: 0(0000) Name: GetModuleHandleA
Addr: 0001822C hint: 0(0000) Name: GetLastError
Addr: 00018230 hint: 0(0000) Name: GetFileTime
Addr: 00018234 hint: 0(0000) Name: GetFileSize
Addr: 00018238 hint: 0(0000) Name: GetDriveTypeA
Addr: 0001823C hint: 0(0000) Name: GetCurrentProcessId
Addr: 00018240 hint: 0(0000) Name: GetCurrentProcess
Addr: 00018244 hint: 0(0000) Name: GetComputerNameA
Addr: 00018248 hint: 0(0000) Name: FreeResource
Addr: 0001824C hint: 0(0000) Name: FreeLibrary
Addr: 00018250 hint: 0(0000) Name: FindResourceA
Addr: 00018254 hint: 0(0000) Name: FindNextFileA
Addr: 00018258 hint: 0(0000) Name: FindFirstFileA
Addr: 0001825C hint: 0(0000) Name: FindClose
Addr: 00018260 hint: 0(0000) Name: FileTimeToLocalFileTime
Addr: 00018264 hint: 0(0000) Name: FileTimeToDosDateTime
Addr: 00018268 hint: 0(0000) Name: ExitProcess
Addr: 0001826C hint: 0(0000) Name: DuplicateHandle
Addr: 00018270 hint: 0(0000) Name: DeleteFileA
Addr: 00018274 hint: 0(0000) Name: CreateThread
Addr: 00018278 hint: 0(0000) Name: CreateSemaphoreA
Addr: 0001827C hint: 0(0000) Name: CreateProcessA
Addr: 00018280 hint: 0(0000) Name: CreateFileMappingA
Addr: 00018284 hint: 0(0000) Name: CreateFileA
Addr: 00018288 hint: 0(0000) Name: CopyFileA
Addr: 0001828C hint: 0(0000) Name: CompareStringA
Addr: 00018290 hint: 0(0000) Name: CloseHandle

DLL: mpr.dll
Addr: 00018298 hint: 0(0000) Name: WNetOpenEnumA
Addr: 0001829C hint: 0(0000) Name: WNetEnumResourceA
Addr: 000182A0 hint: 0(0000) Name: WNetCloseEnum
Addr: 000182A4 hint: 0(0000) Name: WNetCancelConnectionA
Addr: 000182A8 hint: 0(0000) Name: WNetCancelConnection2A
Addr: 000182AC hint: 0(0000) Name: WNetAddConnection2A

DLL: user32.dll
Addr: 000182B4 hint: 0(0000) Name: CreateWindowExA
Addr: 000182B8 hint: 0(0000) Name: UpdateWindow
Addr: 000182BC hint: 0(0000) Name: TranslateMessage
Addr: 000182C0 hint: 0(0000) Name: SendMessageA
Addr: 000182C4 hint: 0(0000) Name: RegisterClassA
Addr: 000182C8 hint: 0(0000) Name: PostThreadMessageA
Addr: 000182CC hint: 0(0000) Name: PostMessageA
Addr: 000182D0 hint: 0(0000) Name: LoadCursorA
Addr: 000182D4 hint: 0(0000) Name: GetWindowTextA
Addr: 000182D8 hint: 0(0000) Name: GetMessageA
Addr: 000182DC hint: 0(0000) Name: GetDesktopWindow
Addr: 000182E0 hint: 0(0000) Name: FindWindowExA
Addr: 000182E4 hint: 0(0000) Name: FindWindowA
Addr: 000182E8 hint: 0(0000) Name: DispatchMessageA
Addr: 000182EC hint: 0(0000) Name: DefWindowProcA

DLL: wsock32.dll
Addr: 000182F4 hint: 0(0000) Name: WSACleanup
Addr: 000182F8 hint: 0(0000) Name: WSAStartup
Addr: 000182FC hint: 0(0000) Name: gethostname
Addr: 00018300 hint: 0(0000) Name: gethostbyname
Addr: 00018304 hint: 0(0000) Name: inet_ntoa
Addr: 00018308 hint: 0(0000) Name: inet_addr

Trid result