8.07.2010

This blog has been moved...


Hi,

The time has come... It's time for a change, for something better (i hope) and to finally make that final step that i've been avoiding: maintaining a blog on my own personal site. I always thought that this would be a long process, one full of pain and suffering (i was quite right actually, you will see it in a future post).
Blogger is too little for what I wanted, so I had to move this blog. Do not fear, all the posts and all your comments are still intact, so that you can still find the old content.
Please point your browsers to the new home of time blog: http://blog.claudiufrancu.ro OR http://www.blog.claudiufrancu.ro/feed for the RSS Feed. 
Thank you very much for the appreciation and please tell me what do you think about the new blog !

7.28.2010

Partial Solution to Panda Challenge 2010 Edition: 1st challenge


So, I've picked up on this rather late (Sunday around 10 PM - GMT +3:00), but it doesn't matter since i'm kind of new when it comes to Reverse Engineering. This was the message from PandaLabs:


As promised, this 1st challenge is here: 1st-challenge.exe. To solve it, you have to create one valid license key for 999 users of this program.
The license key has to be sent to pandachallenge at pandasecurity dot com before next Monday at 17:00 (GMT+2). To avoid any problem with the mail filters, any attachment has to be compressed (zip or rar) with password (panda). Remember that there is no need to register, just download the file and enjoy!
The 1st one to send a valid license key will be the winner of the iPad. Good luck all!


So begins the story...Load the file in OllyDbg. this is what you'll see:




Hit Alt+E to see the Modules Window, select 1st-challenge.exe, right click on it and click View Names (Ctrl+N). Type "ReadFile", right click on it and select "Toggle breakpoint on import".
What we've done so far is when the ReadFile API is hit, Olly breaks. Run the program, and our breakpoint has a hit. Since we can see that we're inside the kernel32.dll (this is the dll that contains our ReadFile API).

Please look at the EDX register. It says "UNICODE "wnloads\\license.k". This license.k is the file that this challenge reads. Create a file called license.k in you 1st-challenge.exe directory, come back in Olly and redo the steps explained until here. Now select Debug-Execute till user code from the menu (or just press Alt+F9).

Scroll up a few lines and you'll see something like this:


0041B629    PUSH 0                                       ; /pOverlapped = NULL
0041B62B   LEA EBX,[LOCAL.1]         ; |
0041B62E   PUSH EBX            ; |pBytesRead = 0142FD40
0041B62F   PUSH ECX ; |BytesToRead = 74D718AF (1960253615.)
0041B630   PUSH EDX                                   ; |Buffer = 0142FCB8
0041B631   PUSH EAX                                   ; |hFile = 00000001
0041B632   CALL              ; \ReadFile



Now F8 it in Olly (a looot of times, yes, don't be scared) until you reach this portion of code:

00401721   |.  895E 2C           MOV DWORD PTR DS:[ESI+2C],EBX
00401724   |.  8B55 DC           MOV EDX,[LOCAL.9]
00401727   |.  8B45 F8           MOV EAX,[LOCAL.2]
0040172A   |.  E8 F1B50100       CALL 1st-chal.0041CD20                                              ;bad boy 1
0040172F   |.  8B45 F8           MOV EAX,[LOCAL.2]
00401732   |.  E8 F9BC0100       CALL 1st-chal.0041D430
00401737   |.  EB 05             JMP SHORT 1st-chal.0040173E
00401739   |>  E8 829D0100       CALL 1st-chal.0041B4C0
0040173E   |>  8D85 5CFFFFFF     LEA EAX,[LOCAL.41]
00401744   |.  E8 17120000       CALL 1st-chal.00402960

You see the call at 0041CD20? This is the badboy1. Press space when you reach at this instruction (don't execute it yet), press the Space button (this is to assemble it), write "nop" and press Enter. This is how it should look like now:

00401724   |.  8B55 DC           MOV EDX,[LOCAL.9]
00401727   |.  8B45 F8           MOV EAX,[LOCAL.2]
0040172A       90                NOP                                                                                ; no more bad boy
0040172B       90                NOP
0040172C       90                NOP
0040172D       90                NOP
0040172E       90                NOP
0040172F   |.  8B45 F8           MOV EAX,[LOCAL.2]
00401732   |.  E8 F9BC0100       CALL 1st-chal.0041D430
00401737   |.  EB 05             JMP SHORT 1st-chal.0040173E
00401739   |>  E8 829D0100       CALL 1st-chal.0041B4C0
0040173E   |>  8D85 5CFFFFFF     LEA EAX,[LOCAL.41]

Press F8 again a few times, until you reach here:

004017A0   |.  DFE0              FSTSW AX
004017A2   |.  9E                SAHF
004017A3   |.  0F85 08010000     JNZ 1st-chal.004018B1                                                   ;  bad boy2
004017A9   |.  8B45 F8           MOV EAX,[LOCAL.2]
004017AC   |.  8B40 24           MOV EAX,DWORD PTR DS:[EAX+24]
004017AF   |.  E8 1C770100       CALL 1st-chal.00418ED0
004017B4   |.  83EC 0C           SUB ESP,0C

Go until JNZ 1st-chal.004081B1, press Space and write JE instead of JNZ. This ensures us that the jump will not be taken. Press F8 a few more times, until you see this:

004017DE   |.  DED9              FCOMPP
004017E0   |.  DFE0              FSTSW AX
004017E2   |.  9E                SAHF
004017E3   |.  74 05             JE SHORT 1st-chal.004017EA
004017E5       E8 D69C0100       CALL 1st-chal.0041B4C0                                              ;  bad boy 3
004017EA   |>  E8 818F0000       CALL 1st-chal.0040A770
004017EF   |.  89C3              MOV EBX,EAX


The last step here is to nop the call made to 0041B4C0 (i think you how by now). Finally, right click, Copy to executables -> All modifications -> Copy all, right click on the new window, Save file, and save it as incomplete-1st-challenge.exe. If you've lost yourself somewhere, you can find the files here.
So, let's recap! What was the challenge? The challenge was that the binary should have written
Registered for 999 user(s)
Congratulations!

What does it say now? It says this:
Registered for xxx* user(s)
Congratulations!


*xxx is a number from -999 to 999.


This message appears regardless to what the license.k file contains. Sure, I failed, but since the challenge isn't running anymore, the author has written a few words about this challenge:


The challenge is a crackme consisting in a little virtual machine developed in Free Pascal (http://freepascal.org). This VM has 5 general purpose registers (R0-R5), 5 registers for arguments (A0-A5), it has no memory and “texts” are stored in the registers, no matter if the value is a text, a decimal or a whole number, and the virtual machine supports a little more than 10 instructions (mov, hlt, xor, add, sub, …).
When the executable binary is run, it looks for the file “license.k”. This file is the “program” to be run by the virtual machine. Some random values are passed to this program in the arguments from A0 to A3. These random values will be the coefficients in the following elliptic curve:
result = sqrt(a*x**3 + b*x**2 + c)
The program has to move the values that have been passed to it from the arguments A0-A3 to R0-R3, operate with them in order to obtain the final result, put this value in the A0 entry and put the number of users for which it is licensed in A1. As simple as that! 
To make this task not so awful for me, while I was developing it, I created a quite rough (but effective) compiler in Python of some assembler code invented by me. The final assembler code with comments is as follows:
;
; Given the following equation:
;
;    sqrt(A*X^3 + B*X^2 + C)
;
; The coefficients are hold in the following registers:
;
; A0 -> A
; A1 -> B
; A2 -> C
; A3 -> X
;
; We can’t operate with any of the A* registers ; so move the values to general purpose registers MOV  R0, A0 ; R0 -> A MOV  R1, A1 ; R1 -> B MOV  R2, A2 ; R2 -> C MOV  R3, A3 ; R3 -> X MOVS  3, R4 ; R4 -> 3 POW  R4, R3, R4 ; R4 -> x^3 MOVS  2, R5 ; R5 -> 2 POW  R5, R3, R5 ; R5 -> x^2 MUL  R0, R0, R4 ; R0 -> ax^3 MUL  R1, R1, R5 ; R1 -> bx^2 ADD  R0, R0, R1 ; R0 -> ax^3 + bx^2 ADD  R0, R0, R2 ; R0 -> ax^3 + bx^2 + c ABS  R0, R0, R0 ; y = abs(ax^3 + bx^2 + c)
SQRT R0, R0     ; y = sqrt(y)
MOV  A0, R0 ; Store the result in A0
MOVS 99, R0
MOV  A1, R0 ; Store in A1 the number of license users ; DUMP ; <- Uncomment this for debugging purposes
And that’s all  The source code of the crackme and the “compiler” is already available (here).

You see the challenge now? It wasn't easy, and VM's are always a pain to debug!!!
As always, feedback is always welcomed! [and help, of course :D]


PS: I know the code look bad, but this theme is bad for writing assembly code. I'll probably replace it in the near future! 

7.22.2010

The road from malware sample to antivirus alert... Kaspersky style!


[0x00] The problem

Today I woke up and the twitter was full of news about the new undetected sample of SpyEyes. VirusTotal reported that no antivirus could detect it, yet. I got a sample (thank you Ben Koehl and Chae Jong Bin) and sent a sample to Kaspersky. I then waited and waited and waited. I just pushed the manual update of my KIS 2010 (produced by Kaspersky), but still undetected. So I started to do my reasearch...


[0x01] Who is Kaspersky?
Kaspersky Lab is a computer security company, co-founded by Natalya Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products. The Kaspersky Anti-Virus engine also powers products or solutions by other security vendors, such as Check Point, Bluecoat, Juniper Networks, Sybari (now acquired by Microsoft), Netintelligence, GFI Software, F-Secure, Clearswift, FrontBridge, G-Data, Netasq, and others. Altogether, more than 120 companies are licensing technology from Kaspersky.
Also, in my point of view Kaspersky Lab does the best job when it comes to detecting malware.


[0x02] Their problems
As seen on viruswatch, they receive a lot of e-mails. Frankly, I would not like to be in their skin. A security researcher has thousands malware samples to analyze per day, if you count only the e-mails received, not including what their honeypot intercepts. It's a massive amount of work.


[0x03] The path to detection
The process is not as simple as you would think. First a malware is out in the wild. Somebody gets it and sends it to them. They scan it with their own tools. They confirm it's indeed a malware. They release a signature. The signature gets pushed on their servers. The end user's antivirus checks automatically for update, and only after that the malware if detected/deleted/disinfected from the users PC.


[0x04]  Internal structure
When a user's antivirus updates, it check's for a Kaspersky Lab server. There are 22 servers spread across all over Europe (yes, i live in Europe) and can be browsed starting from http://dnl-eu1.kaspersky-labs.com-http://dnl-eu22.kaspersky-labs.com. All 22 servers are perfect synchronized every second, so what's on one server, you can find on all other 21 servers.


[0x05] Getting the actual update
The signature it's on the server. Your antivirus first checks to see if there are any new updates since the previously update (it uses the u0607g.xml.dif file for this), then it checks what components exactly are updates (Malware, Banners, Phishing sites, Spam, Malicious scripts, Suspicious sites, Network attacks, Rules for security analyst). If there are new malware signatures on the server (the file 2.kdb-i386-0607g.xml.dif is used), then the antivirus gets the new signatures files (usually apuXXXX.dat files) and finally updates the new informations about the database (time of update, number of threats detected, etc.). After this, if you scan your file, it's finally detected as a malware.


[0x06] The SkyEyes problem
After doing other things, I've checked Kaspersky's database again and scaned my malware sample. It now detected as Trojan-Spy.Win32.SpyEyes.nj, but as seen here, new variants have been written and detected by KIS 2010. Good job guys!


[0x07] The TotalVirus report
The report can be found here and at the moment of writing only Comodo and Kaspersky detect the malware (Heur.Suspicious for Comodo and Trojan-Spy.Win32.SpyEyes.nj for Kaspersky). At least we're safe for now!


[0x08] Conclusions
1. It's hard to get a good sample as an individual. It's almost as hard to get it as an AV company. No sample, no analysis, no signature, no quality.
2. The bad guys are always a few steps ahead. If you take my samples example, the time when it was first detected is 08:07 and the time when the signature was pushed on server was 16:39. This means that the sample has 8h 32m to create havoc on the victim computers. This means good $ for the bad guys.
3. Even now, only 2 AV's detect it. This is bad. There should be some kind of help between the AV companies. I know that it's a competition for the best antivirus, but the one that finally suffers is the user, the one that actually pays for the AV. This is not fair at all.


[0x09] Final conclusions
We need better heuristic methods. Instead of taking the time to release a signature, the heuristic scan should have detected the malware sample as a threat from scan no.1, push the result on the server and release it to all other users that use the same AV. This is of course idealistic, because the size, the costs and the time to scan for an AV would grow up exponentially. Still, as everything related to human kind, we are the weak link in this chain!





[Disclaimer: This article is written for educational purposes only. I'm not affiliated with any AV company, nor do I advertise for one. I just write my ideas freely, as this was the intent when I started blogging]





PS: Feedback is always welcomed, or just say hi at this e-mail: klaudyus|at|gmail.com

7.19.2010

Dynamic malware analysis Part II

Here we are again, after talking in short about Buster Sandox Analyzer. I will not bore you with details about installing Sandobxie or , because they did a great job of covering that on their own website.
I've promised you that we will talk about Virut in this second tutorial. Win32.Virut.C is a dangerous malware, very complicated, but since it's no 0day (actually it was detected back in 2007), there are a lot of good papers about it. 
A basic introduction of the malware you can find here, and a few technical papers that I'd recommend for reading are: Review of the Virus.Win32.Virut.ce Malware Sample written by Vyacheslav Zakorzhevsky from Kaspersky Lab, Virut Encryption Analysis written by the guys from SecureWorks and Under the Hood: Virut written from the guys at TeamFurry.

[Please, take your time to study the analysis of the malware. At least read the basic introduction, because without it, this article with make no sense whatsoever.]

So back to the practical part of this article. If you get a sample of Virut, you'll see that analyzing it in it's form is in vain. What's your next step? Try loading it in a sandbox. We'll try it one by one, and I'll post the results:


CWSandbox
Sandbox analysis: here
Things learned:
- created a C:\8884425.exe file; created a R30S mutex



Anubis
Sandbox analysis: here
Things learned: -



ThreatExpert
Sandbox analysis: here
Things learned:
- please read the report, it covers a lot of details



Comodo Instant Malware Analysis
Sandbox analysis: here
Things learned:
- please read the report, it covers a lot of details



EUREKA Malware Analysis
Sandbox analysis: here
Things learned:
- it tried to unpack the .exe file; provided string and dns of "unpacked" .exe; created an unpacked .asm
[i can't confirm if this output was based on previous analysis, or run-time analysis]


Norman Sandbox
Sandbox analysis: here
Things learned:
- anti debug/emulation code present; mutex, section, modify memory, modify OS kernel function



Let's try the same thing now, except that only this time we use BSA.

Buster Sandbox Analysis
Sandbox analysis: here
Things learned:
- process created, service opened, mutex created, registry keys opened, registry keys modified, privilege escalation
[it totally missed the NtCreateFile and alike functions, and also the port connections].


Conclusions

We can observe that the job of a malware researcher is not easy. PandaLabs reports that it had 22,000 new malware samples to analyze per day in 2008, so if you do the math , you can easily see that the researcher has around few seconds to spend per malware analysis. This is an ongoing battle.
Dinamic analyzing a malware is not easy. There's no one tool available for the public that can tell you all the possible threats that a malware posses.
It's almost impossible for a malware researcher to do the static analysis on the blind (meaning without a basic dynamic analysis up front). It's hard to get right away into the code and have no idea for what to look into.
An old malware like Virut (dated from 2007) is still a problem for the public sandboxes  and we need better tools available for the public, in order to do a better malware research.
Buster Sandbox Analysis gives us overall good results. If we filter the noise and explore the real things that happen, we obtain a good result. Also a plus, is the fact that we have control, and it's offline.
I want to finish this article by asking a question on the AV companies: How do you expect to educate great people regarding malware defense, with so poor quality public sandboxes?

PS: I want to thank Costin Raiu for providing me the Win32.Virut.Ce sample. It helped me a lot!


One final note: feedback is always welcomed, please post your opinions/questions in the comment section.

7.18.2010

Dynamic malware analysis Part I




     I was always fascinated by the computer security industry. Smart people on both sides (good/bad) of the baricade, a lot of dreams, ambition and everything i could ever wish.  The best part of it it's the dinamic in this field: if there's a 0-day detected now, in half a minute it's on twitter and after half a day it's already old news.
     I myself strongly believe that a real security guy is one that deals with data and application security, not host or network security (I don't try to be a troll or disrespect Jeremiah's  Grossman/RSnake's/all the talented people's work, but this is my oppinion).

     When faced with the threat of a malware, the course of action is somehow simple:
     1. Identify the malware that infected your system.
     2. Remove the malware(s), backdoor(s) and all the holes in your system.
     3. Asses the damage that has been done and patch your system to avoid further infections.

     I could go into specifics here, to tell you how exactly to do every big step that i've written, but i think that there are a lot of papers that do this already(if you really want and need, i could go into specifics as a future post).
     Learning what a malware does by yourself, that's a whole nother problem. It's just like in real time: there's one thing to see a house design that you like and copy it, and another thing to design your own house from scratch by yourself.
     What do i mean with that example? It's easy to get rid of the malware by using the proper application (or even installing the right antivirus), but it's very hard to try to figure by yourself what that malware does, and how. What are the challenges? Well, let's see:
     1. Get a sample of the malware.
     2. Perform a dynamic and static analysis on the malware, so that you have an ideea what does the malware do.
     If stage (1 & 2 == proper) then "document the analysis" && "write a tool"
else "read from  people smarter than you" && "learn harder" && "repeate stage 1 and 2"
     Modern malware make researchers face many problems, like: advanced obfuscation, anti-debugging, anti-dumping, EPO (Entry Point Obfuscation), resource encryption, virtual machine detection, anti-patching, metamorphism, memory protection, and these are only a few. Running your malware through OllyDbg or attaching it to ImmunityDbg doesn't cut it anymore.
     So let's say you find a malware sample. You create yourself a virtual lab (for obvious reasons). You to dissasemble the malware with IDA, but it get's you nowhere. What do you do? Or better yet, what can you do? Dynamic malware analysis is the answer.

     I've tried a quite large number of sandboxes. Starting with CWSandbox, Anubis, ThreatExpert, Norman Sandbox Analyzer, Zero Wine, Comodo Instant Malware Analysis, EUREKA Malware Analysis and many more. Some do good, others do not so good, but i think i've found a solution that works for me (of course that an antivirus has it's own tools, produced in-house, but you almost never have access to those tools).

     I've once heard of a sandbox called Sandboxie, and i felt in love with the general concept. I thought to myself: what if I could implement this sandbox in order to study malware? For a few minutes i thought: what if i hijack all the API calls that are made and just list them? This would be awesome from a malware researcher POV. 

     And then I totally forgot about it. And good that i did. After spending some time to research, I've found the amazing Buster Sandbox Analyzer (BSA). It integrates everything that I've thought about, even much more.
     Part II will be about a general introduction about Buster Sandbox Analyzer and performing a dynamic malware analysis on Virut as a case study.



7.17.2010

Thank you, my dear teachers !!!


A lot of things have happend since i last wrote here. I was sick, healty, happy, sad, afraid, confident, sad, happy and in a lot of ther moods. Nothing is the same, and nothing will ever be the same now. What do I mean by that? Keep on reading and you'll see:

1. I was in my last semester at the Lucian Blaga University in Sibiu (Hermann Oberth Faculty of Engineering). I've seen them all: indiferent/bad/absent/incompetent/moody teachers. I had only one final exam to pass (it was the graphics programming course) and i had to take that exam. I still hate that teacher (yeah, you Rodica Baciu, I'm talking about you) because of her incompetence, but it's all over now.

2. As every student that finishes a University, I still had one final exam to pass, in order to graduate: the thesis exam. I went to my teacher and ask him if he agrees for me to study the problem of "Buffer overflows in modern operating systems" as my final thesis exam. He said it's ok, and ok it was.
For ~3 months I was living and breathing my thesis. I had an average of 50 tabs on the subject, opened with Google Chrome. I learned a lot. It was really insane!

3. I already wrote my thesis, i even had the working exploit for my Winamp 5.572 target. It was the day before I should have presented, and out of curiosity I went to the University to see the level of the thesis. After seeing this, I backed down from my original tought of 100 slides to only 20 slides, because of the short time (20 minutes/student).


4. My time to present has comed. After 5 minutes I've seen the look on one of my teachers (Lucian Vintan) and he asked me: "How is this still possible? I thought that they solved this problem by now!". I've said that it's an ongoing battle against the good and the bad guys, and it's never game over. He understood and stood still, but the others started to ask me questions in a hotical manner, and my answers were the same (not the quality, but the answers).
Instead of being there for 20 minutes, I was in there for 50 minutes and my teachers graded me with 8,55. I was really upset! It wasn't the grade that upset me, it was that i've seen it in their eyes that they didn't understood everything that i've done, and that they can't acknowledge my hard work that i've invested in my thesis. 

5. I was furious, mad, hurt and after 1 day of healing, i went yesturday to the University to assist to the thesis exam of another "University", Roger. I stood there for 3 hours and after that I've seen the diference between us and them and our teachers and theirs. 
"What's an object? What's the role of syncronization reggarding operating system process? How would you describe the process of sincronization in real life?..." these were the simple questions that they had to face, and unfortunately they didn't knew the answers to this simple questions. It was amuzing and sad in the same time...

One teacher asked me at the end: "How do you feel, now that you've seen the quality of others?". I replyed: "I feel like a little/big genius. Thank you from the buttom of my heart for every second that you've all spent learning us, because you did a heck of a job". We shaked hands and I left.


Now it doesn't matter. I'm not mad anymore about my thesis grade. I've moved on. Now I realize, that what I have done is far more important than a simple grade. I've learned to learn, i've learn to write a thesis, to know my place (for the moment being), to know what i know and the teachers gave their best in order to pass their knowledge to us. This is more important than any grade that I could have been given.

Now the University road has comed to an end for me. It's time to get a job, give my best and prove myself. Another road has started, but I want to end this post with this simple and honest message, and my full gratitude: 
Thank you, my dear teachers !!!

4.12.2010

Romania and "hackers"


Hello there, it's been a long time since I have written something here. It's not that i ran out of ideas, it's my busy schedule that takes all my time (you know, last semester at the University and all).

The topic that I want to talk about now, it's regarding "hackers". I use the quote sign, because real hackers are few (even now, after 20+ years of Internet), so I'll talk about the other ones, like script kiddies, spammers, phishers and the ones alike. We can categorize them however we want: by their type, by their abilities,  by the amount of money that the earn, by their popularity (remember Gary McKinnon) or by their country. The last category interests me, so let's get it going.

Romania is apparently a country like any other. We're known mainly because of Dracula's Castle and Dacia Logan manufactured by Renault. We have recently (meaning 20 years) escaped from the communist regime that was imposed by Ceausescu, and some still regret those days (unfortunately too many, if you ask me). I was too littler to remember those days, but I enjoy the liberty that I have now, so I am indifferent to the remarks of the ones that state that then were some good times.
It's hard to live in such a country. The middle class is almost not present, we have either poor, other rich people. The minimum salary is 173.82 EURO, which isn't much at all. The thing that will amaze you, is that we have an impressive amount of luxury cars everywhere you look. Romania is the land of cars, not the land of choice IMHO. However, between luxury cars, very beautiful women (and i really mean beautiful), palinca, our hospitality and other good things, we have our really nasty things. You can't survive in Romania if you're not a "hacker" of some sort. Believe me, it's impossible. From the moment when you arrive until the moment you leave, you must think like a Romanian, else you're going to end up bad. Everybody is up to get you (and no, I don't suffer of paranoia). If you don't know somebody when you're ill you can end up dead because of the health system, you will pay at least 3 times more for a cab if you don't look twice, you will be sucked of time when you'll go to pay your bills (yes, we still do that, paying online is still a luxury) and many other problems. The biggest problem that I as a youth see, is that of a proper education. Having the mentality that we have (a balkanic mentality, even tough we're not exactly in the Balkans, only 6% of our territory is) is our worse problem, and you can see it everywhere you look: bad roads, poor service, poor education, poor health system, no responsibility and even bad leaders. It's hard to really accomplish something with this reality that you see everywhere around you. But enough about Romania, and let's start talking about...
Romania and "hackers". Our mass access to Internet started about year 2003, until then it was difficult to have your own Internet line. I still remember the days of my high school when I was going to an Internet Cafe near me, payed by the hour, saved as much information as I could, copied it on a floppy and them study it at home. It was painful, but I remember of that period with a smile on my face. 
Nowadays everybody has access to the giant network called Internet. We have hi5 profiles, silly statuses on yahoo messenger, we check our e-mail for the last spam that our family sent us, but very few are using the Internet properly. The problem with the access given to the masses to the Internet, is that we started having spammers  and phishers around us, people that live and make good money by phishing others for money. I don't have a problem with them necessarily, but I have a problem with the fact that they call themselves hackers. This is what makes me crazy. They never compiled a linux kernel, they didn't ever programmed the hello world program, they don't know how to compile a program without the proper #include files, they have no idea what penetration testing means, but they call themselves hacker. This is ironic. The  national media encourages the term hacker, and they praise with it. This is bad. At least the media should set things right, but they don't. Let's take Antena3 - "Romania ranks second in the top countries from which attacks are launched to obtain data". Since when is phishing considered an attack? I agree with malware, viruses, trojans, or even targeted attacks, but sending an e-mail with a link and then waiting for someone to login to your bogus webpage or selling an airplane (yes, it did happen) through ebay it's not something what i consider an attack. This is just my opinion. Our romanian hacking sites are few (rst and [in]security-romania from my knowledge) and their quality is not extraordinary, so let's get real.
I wish you all the best and stay safe... until next time!

PS: After writing this post, I stumbled upon this: http://garwarner.blogspot.com/2010/04/nicolae-popescu-romanian-hacker-at.html. It explains how things are going in my country. The leader, Nicolae Popescu, is in liberty even tough he is on of the ringleaders of the group. How can this happen you may ask? The answer is simple: in Romania everything is possible if you have money (and of course, you know the right people [which you do, if you've got the money]).

PPS: Do you see the amounts that cops confiscated from them? It seems that it pays out to be a phisher in my country... or NOT! Your liberty values more than any amount of money in this world!

3.19.2010

Exploit writing tutorial site? This is what you're looking for...

On 11 March this year I've asked this question on my twitter account: "Is there a woodmann.com alternative to our security scene? I don't care about the good/bad guy part, I just want to know if it exists!" and I received no answer.
While searching the internet in the usual places, I did found something interesting on Offensive Security's blog, entitled QuickZip Stack BOF 0day: a box of chocolates. It sounded interesting, so I took a peak at it. Damn, it was the best thing I did this entire month. That article/blog post, name it whatever you want, simply rocks!
Do you remember all the vulnerability reports that you see on milw0rm/secunia/vupen/securityfocus? They simply announce the bug, and maybe if you're lucky they write a few lines of code or they write a POC for it. I'm not suggesting that this is bad or something, but if you want to see the logic behind it all, you're lost, because that's a topic that's not covered. Sometimes you see a shellcode and you just stare at it. Why is it there? Why is it so long/short? Why if I change something in it doesn't work anymore? How did someone found a bug and then exploit it and write that shellcode? This questions remain after you've read any vulnerability report on the sites mentioned earlier. But not with QuickZip Stack BOF 0day: a box of chocolates. The author takes you step by step. The best thing of it all, is that he's not feeding you his logic of doing things. The writes a dozen times that you should stop reading, think for yourself what would you do in that particular stage, and only after that you should read further. This is absolutely amazing. That way of teaching/writing reminds me of a famous quote that's still used in the cracking scene by the famous +ORC cracker, but it's still valid and true nonetheless: 

"If you give a man a crack he'll be hungry again tomorrow, but if you teach him how to crack, he'll never be hungry again".

This is what Peter Van Eeckhoutte (corelanc0d3r) does. Do you want to hear another good news? He has posted the 2nd part of the article QuickZip Stack BOF 0day: a box of chocolates Part 2.
Are you ready for another great news? He was made a series of tutorials on how to start writing exploits in the same manner! You can start reading them, starting with the first called Exploit writing tutorial part 1 : Stack Based Overflows and going further until you reach he's last article (Exploit writing tutorial part 9 : Introduction to Win32 shellcoding at this date). His blog is full of excellent well written articles. Do you have problems understanding some of his tutorials? Go and the forum and ask a question. How cool is that?
Even tough nobody answered my question on twitter then, I sure can answer myself now: there is a very well written site, and that's Peter Van Eeckhoutte Blog.
I'm very happy that I've took the time to search the answer to my question, because it surely does pay out.
Thanks Corelan Team and I hope the rest of you will find it at least as good as I did!

3.16.2010

Public disclosure? Why even bother?





Hello again,

This time I'm going to talk about proper disclosure. For those that don't know what's that, here it is: you test a product, you see that it has a bug, you exploit it and you write an email to the vendor to inform about it. You wait a few days, they work on a fix in the meantime, they release a fix and finally they thank you and we are all happy. This is in theory, but...
Real life is almost never like this. You can consider yourself lucky if you get a response from the vendor, or if something get's fixed. If indeed something get's fixed, it usually takes a few weeks (even months sometimes) and you'll certainly never get a simple thanks (from my experience, at least).
I remember a few years ago when I had some spare time, that I started poking around with a few high class .ro domain potential targets. All I did was just a few basic sql injections and a couple of cross-site scripting, but I found a few interesting vulnerabilities out there. I contacted the companies in order to inform about the problems, but nothing. I also stood still for a couple of weeks, and still nothing. After a month, I tried again, and the problems weren't there anymore (at least they've changed their codes).
When I've seen that they did repaired their vulnerabilities, I decided to try a little harder and see if something pops out. It did. I again tried to get in contact, but no response. After a while, they again changed their code, but I'm afraid to look again - who knows what I'll find again? Of course, still no contact.

From that point on, I decided that what i'm going to do is this: when i find a bug, i contact the vendor. From that point on, the vendor has exactly 1 week to respond or correct the bug. If by that time I get no response, I'll go public and disclose the vulnerability. I know that some of you will blame me for what I've written here, but let's face it: it's not right. You do find a vulnerability (you're doing in your free time what other people are payed to do), you contact the vendor, and you don't even get a response. It that fair? It's not fair to me, to you, or to the wasted time taken to find it. I know that there are some vulnerability issues that can be devastating for the public (see Kaminsky's DNS flaw back in 2008), but that's an exception that I'm going to make. The only thing that vendors are afraid of is bad publicity that they get if their code is hacked in broad daylight. Like it or not, that's the truth!
You say that maybe the vendor doesn't have time to answer? Come on! One week is enough for anyone. If they don't do it in a week, they will not do it in 2 or 3 weeks or ever. And please don't tell me that they have no time or programmers to fix the vulnerability, because nowadays everybody works in teams.
To be concise, write back in a week or fix your code in the same time frame or hope that i'll find the next Kaminsky bug, else i'm going public baby!
What's your policy on disclosing vulnerabilities?

UPDATE: It seems that there are others that don't care about their users and the vulnerabilities that can be exposed from their bogus software. Does Microsoft ring any bell? Check it out here! How about Apple? 20 vulnerabilities found with only 5 lines of code written in Python... this is pure blasphemy guys (story here).
Blame me all you want, but i'll stick with my 1 week policy !

PS: It seems that my 1 week period policy works good so far. Kaspersky Romania took 2 days to respond. More update on the Kasperky will follow. 

3.13.2010

Usability versus security or how browsers password managers got 0wned!


Last days there has been a storm on the Internet regarding security. Internet Explorer was hit again and again, and now it seems that even browser passwords are not safe as password managers. I want to talk about the latest, and to respond to Jeremiah Grossman's question: YES, I think that Password Managers are the best tool that users have!
I agree that they offer somehow the best solution from the user's POV, but i have a few objections to make here:

1) How is there to say that a standalone password manager don't have bugs? Let's not forget, password managers are also written by humans, and we are far from perfect.
2) People are lazy by nature. Why do 2 steps (open the password managers and then copy-paste the password), when you could do it in just 1 step? The results are the same, you're still virtual insecure.
3) I could invoke the true statement that a computer that's connected to the Internet is never secure, but I will not say it. Short said, nothing is impenetrable (e. g. remember your tweet? [@claudiufrancu all websites can be messed with. The question is only how and to what extent.]). The same thing applies to programs running offline (this and this are good examples).

The thing is how much security you implement, and how much usability you still have. Users in general want simple stuff: search the web, check e-mails, see videos, chat. They don't want to know all these details about security, and it's normal. When i drive a car, i'm not supposed to know the frequency of my key chip that starts it, or hide it, or keep it in a vault when i'm not driving. I think the analogy applies to the users. They want things that work and are secure.
I think that from a security POV Joanna Rukiwska's approach (Red, Yellow and Green VM) is the best, far better the the password manager's approach, but maybe the users don't have the time/CPU/skill/desire to do it.
From the users POV i think that the built-in pm's that are in web browser's will be long used. They are simple, they do the trick and they almost work. If we want something better, I think it's time to give the users a break and start coming up with good idea's and implement them (in my opinion a 2 way factor protection would be best, like a token that produces a 1 minute password after you input your password, but for this we would need a really big standardization regarding web security and password policies).
As long as we rely on one password, as long and complicated as it is, it can and it will be broken easily. We need to start implementing another type of security, a type where the user does not have the power to pick "123abc" as a password for it's e-mail. Only then we will make progress on the security side, until then we're running in circles.

3.07.2010

Why is security important?


This is an introduction post, so it won't be very technical, maybe just a little bit theoretical. I'm a 23 years old computer enthusiast, that lives in Sibiu, Romania.
I've grown up around computers, and i'm still fascinated with them. They are logical, simple (at least most of the times) and human made. Think of almost any real world situation, and you can transform it into a computer problem/simulation. It's amazing what we have accomplished in only a few hundred years. Remember when we were fighting between ourselves with tanks? Or swords? Or even better, when we used rocks and spears to hunt for animals in order to provide our basic food? Those days are over.
We now have created computers to help us in our daily lives. We had the knowledge to do this. Come to think of it, we are playing God right now. There is only just a problem with it all: are we secure? Many people will argue now that cyber security isn't for us to concern. Is that so? Do you lock the door of your automobile when you're not in it? Do you lock your house when you're not around? The same thing you should do with your blog/e-mail/pictures and everything that you're sharing online. You must protect them at all cost. If you don't want something on the web about you, it's simple: don't do it.
Are you a simple user that surfs the Internet? Pick good passwords, udate your environment as many times as needed, use a daily updated antivirus, use a firewall, use a password on your account, lock your windows accout when you're away and you should be secure in general. [actually the only method to be secure 100% is to don't plug your computer, but this is another topic].
Are you a programmer? Things become more complicated now! With great power comes big responsibility. Not only that you should do all on the top by default, but if you're building a web application you should also implement input and output validation, error handling, authentication and authorization, session management, secure communication, secure resource access, secure storage and many more[visit owasp for more infos]. If you're building a non-web application, you must watch out for a lot of possible errors, here are just a few.
As you can see, things are more complicated as they look like, and this is normal. Things haven't been build with security in mind, we just adapted it on the fly and we pay for it now. Continue to ignore it and you'll see more things like this, this, this and many more alike. It's time to wake up and see the problems around us. Security is one of them, and it's big!
You can always contact me at klaudyus_at_gmail.com. Be safe!

3.06.2010

claudiufrancu.ro is up!













Hi all!

After giving some thoughts, i've made it after all. http://claudiufrancu.ro is up and running!
Updates will follow soon, and also a few of my projects that i'm working. Stay tuned!