Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-03-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Hardware isn't always more trustworthy than software

Published: 2007-03-04
Last Updated: 2007-03-04 20:02:52 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Last week one of my colleagues mentioned that he found it strange that people always thought software was the issue when IT related issues occured. He hit the nail right on the head: is hardware really more trustworthy ?

Polish security researcher Joanna Rutkowska last week gave some good evidence that this need not always hold true. At the Blackhat conference in Washington, DC she showed three different scenarios in which software can fool hardware-based forensic acquisition of RAM memory.

The attacks, while still only theoretical, were developed for the AMD64 platform and could allow software running on a compromised system to cause such tools to crash, read out "garbage" data or in fact present them with fake content. This could make it impossible for a forensic investigator to discover malware in memory, even though it is in fact there.

Intelligence principles have always dictated we need to be very careful where we get our information from, and preferably triangulate it with other sources. Understanding whether the object sourcing us the information has motivation to lie to us, is becoming more and more important. In essence, Joanna shows that DMA (direct memory access) really isn't all that direct, and we need to better understand the limitations of our tools.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)

New tool in the fight against malware distribution

Published: 2007-03-04
Last Updated: 2007-03-04 18:44:28 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

The Internet Storm Center often reports on the use of defaced websites in malware distribution. High profile examples such as the recent Dolphin Stadium web site compromise show that web masters have every reason to be very interested in exactly what they are serving up to an ever more mobile and global audience.

Niels Provos recently released a tool, SpyBye, that allows a webmaster to perform exactly such an audit. SpyBye, of which version 0.2 was released yesterday, is a proxy server that analyzes a requested url, submits any links it finds through a rule based engine (including a list of known malicious sites) and then categorizes these in three categories: harmless, unknown or dangerous. A webmaster can install it on his local machine and then access his website to get detail on what exactly is taking place during the connection - that same webmaster, having knowledge of the expected content, will also be able to easily identify content that is suspicious, but could otherwise have been unreadable when obfuscated through some form of URI-encoding. 

This new version integrates with clamav to automatically scan downloaded files, and allows you to log all requests to syslog. Provos also provides a realtime version of the proxy so you can give it a try on-line. Note that it's still best to run any assessments of potentially dangerous content from a virtual machine, as the tool will continue to feed the results of requests classified as 'harmless' or 'unknown' to your browser.

Link: Monkey.org

Keywords:
0 comment(s)

Wordpress 2.1.1 source backdoored

Published: 2007-03-04
Last Updated: 2007-03-04 15:37:15 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

The Wordpress development team has a notification up on their blog that version 2.1.1 of Wordpress has been compromised, and code was added which allows remote code execution. This happened during a user-level compromise of one of their servers.

While not all 2.1.1 downloads have been affected, they advise that everyone running this version should upgrade to version 2.1.2 immediately. This version is fully verified and is not backdoored.

By way of mitigation, hosting providers that are not aware of the Wordpress versions running across their user base may wish to block access to theme.php and feed.php with a query string of 'ix=' or 'iz='.

More information: Wordpress.org

Keywords:
0 comment(s)
Diary Archives