Critical update to Adobe AIR
The folks at Adobe have released a bulletin and update to Adobe AIR that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR. Details related to that CVE number are not yet available at nvd.nist.gov.
Finding stealth injected DLLs
I've mentioned Volatility here before and I use it in my day job doing malware analysis. The problem is, I know it is capable of doing a lot more than I am currently using it for, but I rarely have the time to sit down and play with it and learn how to use it better. So, I was very pleased when I noticed that Michael Hale Ligh has written 2 pieces on how to use Volatility to find DLLs that have been stealthily injected into running processes. The first is Locating Hidden Clampi DLLs and the second is entitled Recovering Coreflood Binaries with Volatility. Does anyone else out there have any other tools/methods they use for trying to detect and analyze these DLL injections (or even non-stealthy ones)? Let me know via the contact page and I'll update this story.
How are you coming with that IPv6 migration?
We've known for a number of years that IPv6 was coming. In fact, in some parts of the world, it really is here, but US Government mandates not withstanding, not so much here in the US. I've played with IPv6 on my home network and I use Teredo to connect out using IPv6, but the real question in the back of my mind is, are the tools that we've grown accustomed to for network/packet analysis in IPv4, ready and up to the task of an IPv6 world. My question for our readers this afternoon is are the tools you use ready for an IPv6 internet? Use the contact page to let us know either way. I'll post a follow-up next weekend and summarize your responses. In the meantime, CERT has published a nice little post on filtering ICMPv6 using host-based firewalls.
New Tool: NetWitness Investigator
A new freeware version of Netwitness' core product, NetWitness Investigator, was made available today. I was able to get access to it several days ago for a test run. It looks and feels much like Wireshark, but with a lot more capability. The only two issues I found with the tool is that the registration process (required) is a bit quirky but eventually works, and you'll see a noticible drop in computer performance while its running. But considering that this is a sniffer on steroids I suspect that a performance drop is to be expected.
Here are notes from the NetWitness web site:
Product Features:
- Captures raw packets live from most wired or wireless interfaces
- Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
- License supports 25 simultaneous 1GB captures - far exceeding data manipulation capabilities of packet tools like Wireshark
- Real-time, patented layer 7 analytics
– Effectively analyze data starting from application layer entities like users, email, address, files , and actions.
– Infinite, free-form analysis paths
– Content starting points
– Patented port agnostic service identification - Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
- IPv6 support
- Full content search, with Regex support
- Exports data in .pcap format
- Bookmarking & history tracking
- Integrated GeoIP for resolving IP addresses to city/county, supporting Google® Earth visualization
- NEW! SSL Decryption (with server certificate)
- NEW! Interactive time charts, and summary view
- NEW! Interactive packet view and decode
- NEW! Hash PCAP on Export
- NEW! Enhanced content views
Minimum system requirements:
NetWitness recommends the following minimum hardware requirements for NetWitness Investigator:
- Windows® XP, 2003 Server, or Vista 32-bit
- Single 2Ghz Intel-based processor(Dual-core recommended)
- 1GB RAM(2GB Recommended)
- 1 Ethernet Port
- Internet Explorer v7+ (IE v6.x may limit some functionality)
- Ample data storage for collected data
- Note: Linux infrastructure available in commercial versions
The fully functional and licensed free version of NetWitness Investigator is at: http://download.netwitness.com. We are interested in your comments if you've downloaded and tried this software. Please let us know via our contact form.
Marcus H. Sachs
Director, SANS Internet Storm Center
A new cheat sheet and a contest
Our friend, Jeremy Stretch, over at packetlife.net has posted another of his excellent cheat sheets, this one covering 802.1X. He also has posted a challenge which will give you a chance to test your packet analysis skills. Check them out.
Comments