Rootkit Analysis: Hiding SSDT hooks

In attempt to bring our readers/listeners more technical content, the SecuraBit team has brought on a guest blogger to cover some of the current issues facing malware analysts/reverse engineers.  Nick Jogie’s first post delves into rootkit analysis and explains in great detail how to detect such when AV and perimeter security devices just aren’t enough.  Provide feedback to the SecuraBit team and let us know your thoughts!

“System Service Descriptor Table (SSDT) patching has been widely used by rootkits and is usually easily detected.  BlackEnergy version 2 has implemented a technique which successfully hides from basic rootkit detection.  Basic rootkit detectors typically only check address ranges, on function pointers, listed in the SSDT.  If the pointers are outside the kernel address range, it implies that the SSDT is hooked.

The following will illustrate a procedural check, used to uncover this technique, using a kernel debugger…”

Read more here:

Rootkit Analysis – Hiding SSDT Hooks

Written by: Nick Jogie

Adobe and Google may team up for Flash

ZDNet has a post about a rumor that Google and Adobe may team up speculating that this may include bundling Flash with Chrome, both the OS and the browser.  We’ve had a lot of posts on Flash vulnerabilities on Securabit (they make a regular appearance during the Vulnerability Roundups), so the first thing that comes to mind is that could mean even more vulnerable systems for attackers to exploit.

On the other side, as has been mentioned on twitter by @jack_daniel, @quine and @egyp7, there could be some upside.  This could mean that the folks at Google will get to look through the source code for Flash, perhaps tightening it up, or that the sandboxing in Chrome sees some improvement to compensate for weaknesses in Flash.  While the first case would certainly be nice, any improvement to Flash security seems like a Win.  Now maybe if we can get them to team up on Reader…

SecuraBit Episode 53: Thotcon If you think it you will go to Chicago!

SecuraBit Episode 53:  Thotcon If you think it you will go to Chicago

Thotcon – http://www.thotcon.org/

Trustwave’s Spider Labs – https://www.trustwave.com/spiderLabs.php

Chat with us on IRC at irc.freenode.net #securabit

Hosts:
Anthony Gartner @anthonygartner
Christopher Mills @thechrisam
Andrew Borel @andrew_secbit

Guests:
Nick Percoco @c7five – Thotcon & Trustwave’s SpiderLabs
Zack Fasel @zfasel – Thotcon & Trustwave’s Spider Labs

Links:
http://www.thotcon.org/
https://www.trustwave.com/spiderLabs.php
SpiderLabs Radio – http://itunes.apple.com/podcast/spiderlabs-radio/id300567984
https://www.trustwave.com/spiderLabs-tools.php

Windows 7 “XP Mode” Vulnerability

This past Thursday (3/18/10) Microsoft announced that it will be dropping the hardware acceleration requirement for using the “XP Mode” feature on Windows 7.  XP Mode allows a user to run software which is not Windows 7 compatible in a virtualized instance of Windows XP on the same box.  Previously, to use this feature in Windows 7 you also had to have hardware virtualization acceleration, such as Intel  VT or AMD-V.  However, with this update anyone with Windows 7 (Professional, Enterprise, or Ultimate editions) can now use it.  It’s nice to see Microsoft making some concessions for those users that have been unable to migrate to it’s newest platform, and perhaps provide them some encouragement.  But there’s a catch.

That catch comes in the form of an announcement from Core Technologies of a vulnerability in Microsoft’s Virtual PC which allows an attacker to bypass some of the security safeguards which would normally be in place if the system was running on bare metal.  (rather than as a guest OS, as well as some of the tools in place to protect Windows 7 such as DEP, ASLR and SafeSEH)  This means that older vulnerabilities which were not considered exploitable, as other protections were in place, have been given a new lease on life.

Microsoft’s response downplays the announcement.  Microsoft is not calling this a vulnerability, as it requires that there already be another vulnerability to exploit.  As such, they will not be releasing a patch for the flaw, but will instead be waiting until the next release or service pack for the Virtual PC product.

In response, Paul Cooke from Microsoft says, “An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!”.  The exclamation mark at the end of this sentence was bothersome.  It seems that they are missing something.  Obviously there have been enough people up in arms about compatibility issues with Windows 7 that Microsoft felt the need to relax the restrictions on XP mode to encourage migration to 7.  This also says that there are companies which have software doing very important things and that the software doesn’t like Windows 7, hence the need for XP mode to be used more widely.  It’s all well and good that the host Windows 7 box is fine, as the excited Microsoft response above states, but if the important stuff is in the Virtual PC then who cares about the host OS?

More coverage is available at Threatpost

SecuraBit Episode 52: To catch a Mule with Krebs on Security!

Hosts:
Anthony Gartner @anthonygartner
Christopher Mills @thechrisam
Chris Gerling @chrisgerling
Jason Mueller @securabit_jay
Andrew Borel @andrew_secbit

Guests:
Brian Krebs – @briankrebs – http://www.krebsonsecurity.com/

VRT Blog Post:

http://vrt-sourcefire.blogspot.com/2010/03/apt-should-your-panties-be-in-bunch-and.html

Eric Chien, Symantec
Zeus, King of the Bots: http://www.noryak.net/papers/zeus.pdf

Chat with us on IRC at  irc.freenode.net #securabit

Vulnerability Roundup

Well, it isn’t Patch Tuesday yet, but that doesn’t mean there isn’t Microsoft news.  A new 0-day has been found which exploits the help system in IE and older versions of windows (2000, XP, 2003).  I’ve included a few links with information about the vulnerability and mitigation steps.  It appears a patch for this (and other known vulnerabilities) will not be included in the Microsoft release on Tuesday, which will include two bulletins, one for Office, and one for windows, which cover 8 vulnerabilities in total.

Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.

Show Notice: KrebsOnSecuraBit – Interviewing @briankrebs 10 Mar

On March 10th around 8PM EST, Brian Krebs (http://www.krebsonsecurity.com) will be joining us on the podcast to talk about online crime, threats, security and other topics.

Join us on the 10th to hear and participate in this interview.

Live Stream: http://radio.packetsense.net:8000/listen.m3u

IRC Chat: irc://irc.freenode.net/securabit

About Brian Krebs: http://www.krebsonsecurity.com/about/

SecuraBit Episode 51: Malware Detection With Sunbelt Software

SecuraBit EP51 – Malware Detection With Sunbelt Software

Listen in as we discuss Sunbelt Software’s CWSandbox and other products, along with in-depth malware detection and analysis!

#BSidesSF – Tuesday/Wednesday, March 2-3, 2010 @ 10am – 5pm
#BSidesAustin – Saturday, March 13, 2010
#BSidesBOS – Saturday/Sunday, April 24-25, 2010
Chat with us on IRC at  irc.freenode.net #securabit

Hosts:
Anthony Gartner – @anthonygartner
Christopher Mills – @thechrisam
Chris Gerling  – @chrisgerling
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbit

Guests:
Brian Jack – Sunbelt Software
Chad Loeven – Sunbelt Software

Links:

http://www.sunbeltsoftware.com/

http://www.sunbeltsoftware.com/Malware-Research-Analysis-Tools/Sunbelt-CWSandbox/

http://www.securitybsides.com/

Open Source Android Forensics

With more and more people using mobile devices, there’s a growing need to examine these devices forensically.  While there are commercial tools available, it only makes sense that there should be open source tools to use for it as well.

To that end Andrew Hoog of viaForensics has announced the first release of their Android Forensics application. Better yet, the application has been released under the GPL, so other developers will be free to tinker with the source, and hopefully expand the app’s capabilities.

The app is an APK file (currently unsigned, so to use it untrusted sources would need to be allowed on the device) which can be loaded on the device by using the Android SDK.  Once loaded it can compile information from various sources on the device including:

  • Browser history
  • Call logs
  • Contacts (including the different contact methods and other contact data)
  • SMS messages

The information is compiled into CSV files which can then be downloaded onto a workstation for review.  From the announcement it appears there are high hopes that more information can be gathered from the device, but this is certainly a start.

Announcement at the SANS Digital Forensics Blog

Google Code Project Page

viaForensics Blog