Microsoft November 2007 Monthly bulletins

Microsoft monthly bulletins was released . Patch this critical Holes.
MS07-061: Vuln in Windows URI Handling Could Allow Remote Code Execution
MS07-062: Vulnerability in DNS Could Allow Spoofing

Cyber Security Awareness Month

ISC collected 31 tips that folks necessary to know about threats. This collection is divided into 5 parts :Establishing a User Awareness Training Program , Best Practices , Hardware/Software Lockdown , Safe Internet Use , Privacy and Protection of Intellectual Property . I saw a lot of cool tips on this list. Recommended read.

1. Establishing a User Awareness Training Program

1 Penetrating the "This Does Not Apply To Me" Attitude
2 Multimedia Tools, Online Training, and Useful Websites
3 Getting the Boss Involved
4 Enabling the Road Warrior
5 Social Engineering and Dumpster Diving Awareness
6 Developing and Distributing Infosec Policies

2. Best Practices
7 Host-based Firewalls and Filtering
8 Anti-Virus, Anti-Spyware, and Other Protective Software
9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
11 File System Backups
12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
13 Patching and Updates

3. Hardware/Software Lockdown
14 Data Encryption
15 Protecting Laptops
16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
17 Windows XP/Vista Tips
18 Mac Tips
19 Linux Tips
20 Software Authenticity (Digital Signatures, MD5, etc.)

4. Safe Internet Use
21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
22 Detecting and Avoiding Bots and Zombies
23 Using Browsers, SSL, Domain Names
24 Not All Patches Are Released on a Tuesday
25 Using Email, PGP, X509 Certs, Attachments, Instant Messaging and IRC
26 Safe File Swapping
27 Online Games and Virtual Worlds

5. Privacy and Protection of Intellectual Property
28 Cookies
29 Insider Threats
30 Blogging and Social Networking
31 Legal Awareness (Regulatory, Statutory, etc.)

Adobe , spammers and a vulnerability

No we aren't Dead yet , just a little busy in the last month.
Probably you've heard about recent PDF spam attack (see also : TheRegister.co.uk & SANS.org ), despite Adobe company released Patch to fix this serious 0day vulnerability in its "Acrobat" and also "Reader" but hackers (read it spammers) are tries flooding inboxes with theirs malicious PDFs
some days ago I received a mail contains a pdf which exploit this vulnerability. attachment name is "invoice.pdf" and when I ran this file it attempted to download another malware .i looked the pdf with a hex editor and .....

as you can see malware tries to disable firewall and download a file from remote ftp.

See you to the next post ;)

Srizbi , Full-Kernel Rootkit Malware

hi folks,
In the last few days i came across to a new rootkit malware named trojan.srizbi (aka, Troj/RKAgen-A , Rootkit:W32/Agent.EA) that has capabilities of bypassing Firewalls and IDS systems and also tries to delete competitor rootkits .
this malware hooks ZwOpenKey,ZwEnumerateKey and hooks \FileSystem\Ntfs\IRP_MJ_CREATE
\FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL kernel routine of NTFS filesystem driver and also the Trojan creates %System%\windbg48.sys , %System%\[RANDOM NAME].sys files .
this trojan attempts to connect to to several servers for download config files .
the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced . srizbi is currently being spreads via iframe tools like Mpack . this YouTube video showing websites using Iframes and the MPack installer attacking a PC.
you can read more information on symantec .

RealVNC Honeypot

Do you remember Real VNC Vulnerability ?! in this case An attacker can bypass authentication and allows access to the remote system without requiring knowledge of the VNC password. When Vulnerbility and exploit published in public , i said to myself "this is a good target for Botnet Masters to infect big range of computers" , Real VNC runing on some of The Organization and Sensitive Networks . well, Common one of the Nepenthes project leader (Low Interaction Honeypot) Published a module which Displayed the screen of Microsoft OS desktop for Capture real vnc attacks from fool hackers or malwares. i managed RealVNC vuln on Virtual Machines for capturing real malwares . After one month i saw many attacks in my honeypots . Many attackers try to download malwares from Run menu and then install them on Honeypots Machines. Or others manually open the IE or firefox and download Binary file and runing that and in the end clean Browser History ...or FTP command from CMD on windows machine... But over 80 precent did that from RUN menu .
My honeypots structures and tricks :
VMware and Images of clear OS (XP , NT , 2000 or linux base oS)Installed Vulnerable Version or RealVNC Captured Network Traffics and locate HoneyPots behind the NAT and firewall (DOnt forget to enbale Realvnc incoming ports on firewall or NAT)Take SnapShot in vmware from clear OS

But for this time you can not find any interesting activity for RealVNC vuln .Np so its better fo you to wait for the next interesting Vuln !
Screenshot

Resources:

http://nepenthes.mwcollect.org

http://secunia.com/advisories/20107/

pwnie awards

This is an awards ceremony for Security Researchers , you can find some of the cool guys in judges list ... HD moore (Metasploit Project Leader), david aitel (immunitysec company CTO) , Halvar Flake (Sabre Security company CEO) , and others ...
They Publishd list of winners in LasVegas at Black Hat Conf .

See the winners list

do you agree with them ?!!:)

Blue Pill published

after long time now Blue Pill PoC by Joanna Rutkowska published .

Intro
The original Blue Pill proof of concept code has been written by Joanna Rutkowska, while working for COSEINC, and presented at the Black Hat Briefings 2006 in Las Vegas on August 3rd. Joanna Rutkowska then formed a small team of researchers inside COSEINC, Advanced Malware Labs, which was supposed to focus on further research into virtualization based malware. However after just a few months the priorities of work have been shifted, resulting in Blue Pill research activities being ceased.

In April 2007 Joanna Rutkowska decided to quit COSEINC and start her own security consulting firm, Invisible Things Lab. In May 2007 Alexander Tereshkin, a former member of COSEINC AML, joined ITL as a principal researcher. Joanna Rutkowska and Alexander Tereshkin decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. Most of the New Blue Pill’s code was developed by Alexander Tereshkin.

The New Blue Pill is significantly different from the original Blue Pill, not only because of the various features that it implements, but also because of the different architecture it was based on (HVM-like approach, similar to that used by XEN 3).

website : www.bluepillproject.org