Sunday, December 13, 2009

132,000+ sites Compromised Via SQL Injection

Net-Security has posted an article on the discovery of 132k+ sites that have been SQL Injected. From the article

"A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

The google search query string is here.

Read more here:

Thursday, November 26, 2009

Unintentional Insider Attacks

In this week’s Cyber Risk Report, we noted a recent article on CSO Online that mentions a rise in internal security incidents that are caused unintentionally or non-maliciously by employees. Employees, especially younger ones that have a lifelong connection to computers and the Internet, are becoming more involved with technologies and Internet resources in the workplace. As a result, companies are finding that their security policies, and in some cases their perimeters, are being breached by workers who are determined to access files, media, websites, or communities that are considered off-limits. Organizations and their security teams are challenged by the rise in disobedience and disdain for established policy. How can they be stopped?

They can’t.

User access control is a grand paradox for computer security. Data is useless without access, and access is impossible without some user to control a system or at least to maintain it. Wherever there is human interaction with a computer, there is a potential for the user to bend, stretch, or break their permissions to do things that they are not supposed to do. Technical controls can certainly be established, but even the most stringent controls like DRM can be broken. Portable electronics are growing smaller every day, and cell phones are some of the most versatile pieces of equipment for a determined attacker. Cameras, Internet access, and even custom applications make today’s phones a nightmare for a controlled environment. And even low-tech attacks like remembering information and writing it down on paper can cause information to leak out of an organization. There is simply no way to stop a user from abusing their rights.

Controls for human factors, therefore, are not rigid like technical controls. Organizations must set boundaries and guidelines that are not seen as overly restrictive. Any time a user feels as if their purpose (whether their personal goals or their occupational ones) is hindered, there is risk that they will put themselves above the corporation. If an employee in Sales needs to access a video of a competitor’s presentation from a public site that is banned by corporate policy, she might circumvent controls to ensure she can meet her quota. If a network administrator needs to troubleshoot a problem across a range of devices in an area, he might install a rogue wireless access point to connect his laptop to the network in order to make the job go faster and save the company money from his lost productivity.

The best way to ensure that controls are not seen as overly restrictive is to generate awareness and training around them. Whenver possible, not setting arbitrary controls is also effective. Users must understand why they are being denied something that they could see as important to their work, and they must buy into the idea presented by the company. Alternative options will also help employees feel like they have a way to get the required work done without compromising things that the corporation feels need to be strongly protected.

Discipline is also important. Not only must the punishment for infringement fit the infraction, but it must be consistently applied. Nothing irks a subordinate more than to see their superiors able to use political clout to thwart the same controls that they must abide by. Pervasive unfair treatment of security policies can quickly lead to someone breaking the rules just to feel that balance has been restored.

And finally, monitoring and management of information brings a technical control to bear on human problems. Instead of actually limiting use, monitoring just ensures that the right kind of information is flowing, that excessive quantities of data aren’t being shipped to a competitor, or that resources aren’t being hoarded by the videos that are watched by just a few employees. Network situational awareness will lead to an organization that is able to permit actions and monitor them, rather than forbid actions and drive them into dark recesses or side channels that cannot be monitored. Combined with a fair and accessible acceptable use policy, organizations can succeed by cooperating with users instead of working against them.

Original article.

Thursday, October 22, 2009

Improper Input Handling

Improper input handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications.
Generally, the term input handing is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data. Applications receive input from various sources including human users, software agents (browsers), and network/peripheral devices to name a few. In the case of web applications, input can be transferred in various formats (name value pairs, JSON, SOAP, etc...) and obtained via URL query strings, POST data, HTTP headers, Cookies, etc... Non-web application input can be obtained via application variables, environment variables, the registry, configuration files, etc... Regardless of the data format or source/location of the input, all input should be considered untrusted and potentially malicious. Applications which process untrusted input may become vulnerable to attacks such as Buffer Overflows, SQL Injection, OS Commanding, Denial of Service just to name a few.

Improper Input Validation

One of the key aspects of input handling is validating that the input satisfies a certain criteria. For proper validation, it is important to identify the form and type of data that is acceptable and expected by the application. Defining an expected format and usage of each instance of untrusted input is required to accurately define restrictions.

Validation can include checks for type safety and correct syntax. String input can be checked for length (min & max number of characters) and character set validation while numeric input types like integers and decimals can be validated against acceptable upper and lower bound of values. When combining input from multiple sources, validation should be performed during concatenation and not just against the individual data elements. This practice helps avoid situations where input validation may succeed when performed on individual data items but fails when done on a combined set from all the sources [11].

Client-side vs Server-side validation

A common mistake most developers make is to include validation routines in the client-side of an application using JavaScript functions as a sole means to perform bound checking. Validation routines are beneficial on the client side but are not intended to provide a security feature as all data accessible on the client side is modifiable by a malicious user or attacker. This is true of any client-side validation checks in JavaScript and VBScript or external browser plug-ins such as Flash, Java, or ActiveX. The HTML5 specification has added a new attribute "pattern" to the INPUT tag that enables developers to write regular expressions as part of the markup for performing validations [29]. This makes it even more convenient for developers to perform input validation on the client side without having to write any extra code. The risk from such a feature becomes significant when developers start using it as the only means of performing input validation for their applications. Relying on client-side validation alone in not a safe practice. It gives a false sense of security to many developers since client-side validations can easily be evaded by malicious entities. It is important to note that while client-side validation is great for UI and functional validation, it isn't a substitute for server-side validation. Performing validation on the server side ensures integrity of your validation controls. In addition, the server-side validation routine will always be effective irrespective of the state of JavaScript execution on the browser. As a best practice input validation should be performed both on the client side as well as on the server side.

Improper Input Sanitization and Filtering

Sanitization of input deals with transforming input to an acceptable form where as filtering deals with blocking/allowing all or part of input that is deemed unacceptable/acceptable respectively. Sanitization and filtering typically is implemented in addition to input validation.

Weak sanitization and/or filtering can lead an attacker to evade such mechanisms and supply malformed and/or malicious input to the application. The "attacks" section of this document describes SQL Injection and Buffer Overflow attacks which are a direct effect of missing or weak filtering/sanitization.

Input Sanitization

Input sanitization can be performed by transforming input from its original form to an acceptable form via encoding or decoding. Common encoding methods used in web applications include the HTML entity encoding and URL Encoding schemes. HTML entity encoding serves the need for encoding literal representations of certain meta-characters to their corresponding character entity references. Character references for HTML entities are pre-defined and have the format &name; where "name" is a case-sensitive alphanumeric string. A common example of HTML entity encoding is where "<" is encoded as < and ">" encoded as > . Refer to [1] for more information on character encodings. URL encoding applies to parameters and their associated values that are transmitted as part of HTTP query strings. Likewise, characters that are not permitted in URLs are represented using their Unicode Character Set code point value, where each byte is encoded in hexadecimal as "%HH". For example, "<" is URL-encoded as "%3C" and "ÿ" is URL-encoded as "%C3%BF".

There are many ways in which input can be presented to an application. With web applications and browsers supporting more than one character encoding types, it has become a common place for attackers to try and exploit inherent weaknesses in encoding and decoding routines. Applications requiring internationalization are a good candidate for input sanitization. One of the common forms of representing international characters is Unicode [18]. Unicode transformations use the UCS (Universal Character Set) which consist of a large set of characters to cover symbols of almost all the languages in the world. The table below, taken from [21], shows a set of samples with different characters from UCS that are visually similar in representation to ASCII characters "s", "o", "u" and "p". From the most novice personal computer user to the most seasoned security expert, rarely does an individual inspect every character within a Unicode string to confirm its validity. Such misrepresentation of characters enables attackers to spoof expected values by replacing them with visually or semantically similar characters from the UCS.

s ѕ Ѕ Ϩ
0073 FF53 0455 10BD FF33 0405 03E8
o ο о º ѻ
006F 03BF 043E FF4F 00BA FFB7 047B
u υ IJ
0075 2294 03C5 22C3 222A 0132 1E75
p р ƿ ρ ק Р
0070 0440 FF50 01BF 03C1 05E7 0420

Note that although the characters have a similar visual representation, they all carry a different hexadecimal code that uniquely maps to UCS. Additional information on character encoding types and output handling can be found at [22].


Canonicalization is another important aspect of input sanitization [20]. Canonicalization deals with converting data with various possible representations into a standard "canonical" representation deemed acceptable by the application. One of the most commonly known application of canonicalization is "Path Canonicalization" where file and directory paths on computer file systems or web servers (URL) are canonicalized to enforce access restrictions. Failure of such canonicalization mechanism can lead to directory traversal or path traversal attacks [24]. The concept of canonicalization is widely applicable and applies equally well to Unicode and XML processing routines.

The first major Unicode vulnerability was documented against Microsoft Internet Information Server (IIS) in October 2000 [12]. This vulnerability allowed attackers to encode "/", "\" and "." characters to appear as their Unicode counterparts and bypass the security mechanisms within IIS that block directory traversal. In another example, a vulnerability discovered in Google perfectly illustrates the significance of character encoding [13]. The vulnerability stated in this example exploits lack of consistency in character encoding schemes across the application. While expecting UTF-8 [14] encoded characters, the application fails to sanitize and transform input supplied in the form on UTF-7 [15] leading to a Cross-site scripting attack. Additional examples can be found at [16] and [17]. As mentioned earlier, applications that are internationalized have a need to support multiple languages that cannot be represented using common ISO-8859-1 (Latin-1) character encoding. Languages like Chinese, Japanese use thousands of characters and are therefore represented using variable-width encoding schemes [18]. Improperly handled mapping and encoding of such international characters can also lead to canonicalization attacks [19].

Based on input and output handling requirements, applications should identify acceptable character sets and implement custom sanitization routines to process and transform data specific to their needs. Additional information on outputting data in international applications can be found at [22].

Input Filtering

Input Filtering is a decision making process that leads either to the acceptance or the rejection of input based on predefined criteria. In its most basic form, input filtering deals with matching or comparing an input data stream with a predefined set of characters to determine acceptability. Acceptable input is passed forward for processing and unwanted characters are blocked thus preventing the application from processing unrecognized and potentially malicious input. There are two major approaches to input filtering [2]:

  • Whitelist - Allowing only the known good characters. E.g. a-z,A-Z,0-9 are known good characters in the whitelist and are hence accepted by the filter
  • Blacklist - Allowing anything except the known bad characters. E.g. <,/,> are known bad characters in the blacklist and are hence blocked by the filter

There are advantages and disadvantages to both approaches. Blacklist based filtering is widely used as it is fairly easy to implement, but offers protection only from known threats. Characters in a blacklist can be modeled to evade filtering as the filter only blocks known bad characters; an attacker can specially craft an attack to avoid those specific characters. Researchers have demonstrated several ways of evading blacklist based filtering approaches. The XSS cheat sheet [7] and SQL cheat sheet [8] are classic examples of how filter evasion techniques can be used against blacklist based approaches. Both Mitre [9] and NVD [10] host several advisories describing vulnerabilities due to poor blacklist filtering implementations.

Whitelist based filtering is often more difficult to implement properly. Although proven efficient with virus and malware protection techniques, it can be difficult to compile a list of all good input that a system can accept.

Input validation, sanitization and filtering requirements apply equally to elements beyond web application code. Web application infrastructure components like web servers and proxies that handle web application requests and responses have been shown to be vulnerable to attacks caused due to weak input validation of HTTP request/response headers. Some examples include HTTP Response Splitting [25], HTTP Request Smuggling [26], etc...

A common approach to perform input filtering, validation and sanitization is through the use of a regex (Regular Expressions) [23]. Regular Expressions provide a concise and flexible means of identifying patterns in a given data set. Many ready-made regular expressions that deal with common input/output related attacks such as SQL Injection [4], OS Commanding [5] and Cross-Site Scripting [27] are available on the Internet. While these regular expressions may be simple to copy into an application, it is important for developers using them to ensure they are evaluating the requirements for their expected input streams.

Commercial companies like Microsoft and open source communities like OWASP have ongoing efforts to provide protection tools against some of the common attacks mentioned above. Microsoft's Anti Cross-Site Scripting Library [28] not only guides its users and developers with putting measures in place to thwart cross-site scripting attacks, but also provides insight into alternatives for proper input and output encoding where its library routines may not apply. OWASP's ESAPI project [6] provides guidelines and primary defenses against SQL Injection attacks. It also provides details on database specific SQL escaping requirements to help escape/encode user input before concatenating it with a SQL query. SQL escaping, as advocated in EASPI, uses DBMS character escaping schemes to convert input that can be characterized by the SQL engine as data instead of code.

Common examples of attacks due to Improper Input Handling

Buffer Overflow

The length of the source variable input is not validated before being copied to the destination dest_buffer. The weakness is exploited when the size of input (source) exceeds the size of the dest_buffer(destination) causing an overflow of the destination variable's address in memory.

void bad_function(char *input)
char dest_buffer[32];
strcpy(dest_buffer, input);
printf("The first command line argument is %s.\n", dest_buffer);
int main(int argc, char *argv[])
if (argc > 1)
printf("No command line argument was given.\n");
return 0;

See [3] for more on this and similar attacks.

SQL Injection

The sample code below shows a SQL query used by a web application authentication form.

SQLCommand = "SELECT Username FROM Users WHERE Username = '"
SQLCommand = SQLComand & strUsername
SQLCommand = SQLComand & "' AND Password = '"
SQLCommand = SQLComand & strPassword
SQLCommand = SQLComand & "'"
strAuthCheck = GetQueryResult(SQLQuery)

In this code, the developer combines the input from the user, strUserName and strPassword, with the existing SQL statement's structure. Suppose an attacker submits a login and password that looks like the following:

Username: foo
Password: bar' OR ''='

The SQL command string built from this input would be as follows:

SELECT Username FROM Users WHERE Username = 'foo'
AND Password = 'bar' OR ''=''

This query will return all rows from the user's database, regardless of whether "foo" is a real user name or "bar" is a legitimate password. This is due to the OR statement appended to the WHERE clause. The comparison ''='' will always return a "true" result, making the overall WHERE clause evaluate to true for all rows in the table. If this is used for authentication purposes, the attacker will often be logged in as the first or last user in the Users table.

See [4] for more information on this and other variants of SQL Injection attack

OS Commanding

OS Commanding (command injection) is an attack technique used for unauthorized execution of operating system commands. Improperly handled input from the user is one of the common weaknesses that can be exploited to run unauthorized commands. Consider a web application exposing a function showInfo() that accepts parameters name and template from the user and opens a file based on this input

Example: http://example/cgi-bin/

Due to improper or non-existent input handling, by changing the template parameter value an attacker can trick the web application into executing the command /bin/ls or open arbitrary files.

Attack Example:


See [5] for more on this and other variants of OS commanding or Command Injection attack


Character encodings in HTML


Secure input and output handling


Buffer Overflow


SQL Injection


OS Commanding




XSS Cheat Sheet


SQL Cheat Sheet


CVE at Mitre


National Vulnerability Database


CWE-20: Improper Input Validation


Microsoft IIS Extended Unicode Directory Traversal Vulnerability


Google XSS Vulnerability






Widescale Unicode Encoding Implementation Flaw Discovered


Unicode Left/Right Pointing Double Angel Quotation Mark


Variable width encoding schemes


Canonicalization, locale and Unicode




The Methodology and an application to fight against Unicode attacks


Improper Output Handling


Regular Expressions


Path Traversal


HTTP Response Splitting


HTTP Request Smuggling


Cross Site Scripting


Microsoft Anti-Cross Site Scripting Library V3.0


HTML 5 "pattern" attribute


Original here.

Saturday, October 3, 2009

Brief: Firefox feature looks to foil XSS attacks

The Mozilla Foundation released on Wednesday a preview version of the Firefox browser that implements a technology to protect against scripting attacks.

The technology, known as Content Security Policy, allows Web sites to specify restrictions on how they handle scripts. Using CSP, a Web site can create a white list of sites from which the browser should accept scripts as well as mandate that the scripts are labeled as applications and are not obfuscated. A number of other features are also available, all aiming to prevent malicious scripts from executing in the context of the current site.

The preview does not implement the entire specification, and Mozilla is looking for testers and feedback, Brandon Sterne, security program manager for Mozilla stated in Wednesday's blog post.

"Please be aware that there are still a few rough spots," Sterne said. "The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec."

Content Security Policy is based on recommendations made by Robert "rsnake" Hansen back in 2005. Most browsers treat all scripts the same, executing in the context of the current site, no matter where they originated. The defacto policy is what allowed untrusted ads on The New York Times site to recently serve up malicious software to visitors and allowed the Samy and other Web worms to spread. Content Security Policy allows sites to tell browsers which scripts should be allowed as well as additional restrictions on scripting.

Mozilla has created a demo page for security researchers who want to see content security policy in action.

Source: securityfocus.

More solutions please

Over the last week, I've attended a security awareness forum and spoken at a cloud computing conference. The major learning point highlighted by both events, was both predictable and significant: our current approach to security is failing to deliver and requires a major re-think.

I touched on this issue in my latest Infosecurity blog posting. The new world of cloud computing, for example, introduces a new set of problems that we have yet to experience. For many years, we've assumed that we can manage emerging problems through risk management or best practice controls. Both approaches fail because we simply don't know what's lurking in those clouds.

The obvious answer is to switch to a more pragmatic approach of addressing the underlying, root causes of incidents, rather than trying to predict the future. Human failings, for example, are the most important factor in the vast majority of incidents, and this people-oriented trend will grow with increasing user power and connectivity.

Is this too simple? It probably is. Otherwise we would have adopted it decades ago. Just think, for example, how much better the world might be if we'd fixed the password problem two decades ago. Simple is not easy but it often works best.

Source: ComputerWeekly.

Friday, October 2, 2009

Social Engineering at its best

In conjunction with a team of social engineers, penetration testers and information security experts, is opening its “virtual” doors today.

The team at Offensive Security has been working with many contributors and specialists to put together the Webs Official Framework for Social Engineering. will house an ever growing framework for social engineering as well tools, how-to’s, informational reviews and podcasts all geared at helping security minded professionals enhance their awareness and knowledge in the field of social engineering. Join us at for more info.

source: OffensiveSecurity.

Saturday, September 26, 2009

Tricks with Google!

This write up is nothing related to Information Security. But, it is good to know information for. There are three tricks in all:

1. FastFlip through articles: Google recently launched a new service: FastFlip, which can help you read online pages just as you flip through a magazine. These pages are indexed by the Google bot from many Google partner websites and presented to you for a quick read. You also have an option to choose the stuff you read by logging in to your account and customizing the application.

FastFlip can be found here.

2. Play Monopoly with Google Maps: This can be a leisure activity on those days when you do not have anything that’s fun to do. So, Google has teamed up with the worlds largest Monopoly board game manufacturer (!), so that you can use Google Maps as a board for Monopoly. The rules are similar to what we normally play. You initially get paid out 3 million Monopoly dollars (!) to play.

You can play this game here.

3. Search real time indexed pages on Google: So, you wish to keep up with your favorite web site as soon as Google has indexed its recently updated/added page? You can now do so using a parameter that we observed recently. This parameter is- tbs=qdr:

You can get results with a seconds delay, i.e., after it being indexed! According to us, ‘tbs’ stands for ‘to be scanned’ and ‘qdr’ stands for ‘query data range’! This might not be the true meaning. :P It can take the following units – s (second), n (minute. We don’t know why they do not have a m instead), h (hour), d (day), w (week) , m (month) and y (year). For example,

tbs=qdr:s1 [1 second delay]
tbs=qdr:n1 [1 minute delay]
tbs=qdr:h1 [1 hour delay]
tbs=qdr:d1 [1 day delay]
tbs=qdr:w1 [1 week delay]
tbs=qdr:m1 [1 month delay]
tbs=qdr:y1 [1 year delay]

For example,

Source: pentestit.

Comodo Internet Security – Free All-in-one Firewall & Antivirus

Comodo Internet Security is the free, multi-layered security application that keeps hackers out and personal information in.

Built from the ground upwards with your security in mind, CIS offers 360° protection by combining powerful Antivirus protection, an enterprise class packet filtering firewall, and an advanced host intrusion prevention system called Defense+.

b841a20b74588c28b5cb6bf32020b126 Comodo Internet Security   Free All in one Firewall & Antivirus

Features of Comodo Internet Security

- All-in-one Firewall & Antivirus
- Defends your PC from Internet attacks
- Detects and eliminates viruses
- Prevents malware from being installed
- Easy to install, configure and use
- Free to both business and home users
- Default Deny Protection (DDP)
- Prevention-based protection
- Personalized protection alerts
- Real-time access to updated virus definitions
- One-click virus scanning
- Uncluttered, user-friendly interface
- Thorough security “wizards”
- Unique “slider” to easily change your current security level
- Exclusive access to Comodo’s “safe-list”

Comodo Internet Security Includes:

Firewall: Slam the door shut on hackers and identity thieves.
Antivirus: Track down and destroy any existing malware hiding in a PC.
Defense+: Protects critical system files and blocks malware before it installs.
Memory Firewall: Cutting-edge protection against sophisticated buffer overflow attacks.
Anti-Malware Kills malicious processes before they can do harm.

Operating system:

Windows XP (SP2) or Vista 32 bit
64 MB RAM / 70 MB hard disk space
Windows XP (SP2) or Vista 64 bit
64 MB RAM / 105 MB hard disk space

We have published and revied anti virus and firewalls, this one is effective and proctects you from bad guys and their malwares. Tested on windows XP full of internet virus it manged to clean 98 % of known virus and 70 % modified malwares. As it also has firewall so browser hijack was also detected but was not cleaned. overall we were protected and its also Free !!!. So we had some soft corner.

Download Comodo Internet Security Here


Friday, September 25, 2009

Twitter DM Phishing Scam

As Twitter gains momentum there are more and more attacks on it, it’s users and the most recent is a phishing scam via DM (Direct Message).

It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack.

This isn’t the first time DMs have been used in a Phishing attack too.

Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.

There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user’s log-in information; once the attackers have that, they can take over the account of the victim and use it to send out more messages.

According to messages from Twitter users, the tweets with the link to the phishing site have to do with the sender supposedly making a certain amount of money. Such periodic phishing attacks on users of the popular microblogging service have become a fact of life.

I’m not exactly sure why anyone would want to steal a bunch of Twitter accounts? Perhaps to monetize them somehow with spam/affiliate schemes.

But the current threat on Twitter is a phishing scam executed via DM with a link to various things including ways to make money, a video of you or some other juicy gossip.

The cornerstones of social engineering in phishing attacks.

In May, researchers at Sophos reported that a number of Twitter users were lured to a phishing site via a tweet with the message: “check this guy out [tinyurl address leading to the attack site].” As was the case in that instance, URL shortening services are increasingly being abused by attackers to mask the Websites they are sending their victims to.

Besides drawing attackers as it has grown, Twitter has also gotten the interest of security researchers, as shown by the “Month of the Twitter Bugs.”

Twitter warned users about the attack, stating in a message: “A bit o’ phishing going on—if you get a weird direct message, don’t click on it and certainly don’t give your log-in creds!”

If you are using Twitter you should follow @spam and keep up to date with what is happening on the network.

Source: eWeek

Tuesday, September 22, 2009

Windows Software

Avast: Another free Anti-Virus software. Just as good as AVG. However this one is more system intensive than AVG or NOD.
Bitdefender: Popular anti-virus software- Free of charge. Free- NOT real time scanning -only manual scanning)
ClamWin: Small and non-intrusive anti-virus. Like Bitdefender (Free- NOT real time scanning -only manual scanning)
AntiVir: An anti-virus that has been around for a long time – still free for home use.
Blink: First security solution to build all of the necessary protection layers into a very lightweight package. (Contains a software Firewall)
NOD32: The absolute BEST anti-virus protection. (I know, I clean scumware for a living). 30day trial. Or purchase.
Kaspersky: A very sweet anti-virus software with a 30day trial. Be sure to JUST get the AV, not the full suite of bloatness.

TheCleaner: This finds/prevents trojan horses. This is on a 30day trial, however very recommended – try it.
DiamondCS: Many high-end programs for worm/Trojan detection, 30day trial.
Windowsecurity: Free online Trojan scanner.

Ad-Aware SE: Great for getting rid of spyware and malware – the items that can cause annoying pop-ups.
SpyBot: Similar to Ad-Aware, however more aggressive. Clean up spyware and hijack attempts.
SpyCatcher: Active Protection. One of the most advanced antispyware solution available as a free service.
AVG AntiSpyware : Clean annoying malware such as spyware, Trojans and hijackers. Great compliment to an anti-virus.
MalwareBytes: Since programs like Ad-Aware have become.. crap, this is a GREAT replacement for cleaning.
CounterSpy: Probably the best shield against spyware. The best database cleaner there is. Period. 30day trial.
Comodo BOClean: This is more of a “real time” (run the the background) anti-spyware. Not a fan of TSR’s, but this works.
CWShredder: Takes care of many hijacking software – run if you get many pop-ups/redirecting pages.
HijackThis: Tool to find out if there is “hijack” software on your system. Use the logfile analyzer if your not sure.
Kill2me: Another stomper of spyware – bring it on.
KillBox: Very nice for taking care of “Abetterinternet” and other n00bish software.
a² free: This bridges the gap with anti-virus and malware. This free scanner cleans Trojans, worms, spyware (all malware).
SpywareBlaster: Active prevention against spyware, adware, browser hijackers and dialers.
HitmanPro2: Incorporates all major Anti-Spyware software and updates/runs them all for you. Too cool.
WinDiz: Windows updates with FireFox. Great if ActiveX is damaged by spyware.

POPfile: Perfect/Free ani-Spam tool. Involved installation, but once it’s set – it’s good.
IHateSpam: For Exchange (V5.5, 2000 and 2003) was uniquely developed to be both user and admin-friendly. 30day trial.
Spamihilator works between your E-Mail client and the net. Useless spam mails (Junk) will be filtered out.
SpamBayes: is a tool used to segregate unwanted mail (spam) from the mail you want (ham).
SpamPal: Mail classification program that separates your spam from the mail you really want to read.
OSpam: A great and simple spam solution for any POP account.

Sygate. Just bought by Symantec – now it’s going to be crap. Hurry and get this before it happens.
Tiny: Tiny is a free firewall. It is designed for the more advanced due to the heavy features included.
Comodo: Great little personal firewall. This is pretty new and robust.
OutPost: An Opensource based firewall. Works very well protecting against worms, trojans and hackers.
Kerio: Smart, easy-to-use personal security technology that fully protects PC’s against hackers and internal misuse. The best.
Protowall: Very small application that blocks IP address. Very cool.
Prevx: Stops the attacks that bypass anti-virus and firewall products.

PowerCrypt 2000: Encrypted files, folders and E-mails. This free file lets you hide all your data.
PGP: “Pretty Good Privacy”. Actually it’s probably the best encryption software out there. Free – PC/MAC
Cryptainer LE: Secure your data and ensure absolute privacy with Cypherix’s powerful 128bit encryption.
BitCrypt: A sophisticated tool allowing for encryption of plain text within a bitmap image.
EasyCrypto: Encrypt both standalone files and entire folders. Many cool options here.
Truecrypt: Free open-source disk encryption software for Windows XP/2000/2003.
MD5HashGen: Simple application that can generate one-way MD5 hashes – Great for password generations.
PerfectPasswords: GRC’s Ultra High Security Password Generator.
RoboForm: A free password manager and one-click web form filler. Just be carefull who uses your PC.
Password Safe: Allows you to have a different password for all the different items that you deal with – remembers for you.
CutePasswordManager: Form filling software that auto fill user/password. Stores info with 256-bit AES encryption – 1click login. *
PIN’s: Storing of any secure information like passwords, accounts, PINs etc. 448 bit Blowfish. Does not install.

Eraser: FBI just kick in the door? This little program will erase data to a level that the Dept. Of. Defense uses.
KillDisk: KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M.
AutoClave: Hard drive sterilization on a bootable floppy.
SuperShredder: Shred’s individual files. It’s stronger than DOD specs.
DBAN (”Darik’s Boot and Nuke”) is a self-contained boot floppy that makes it an appropriate utility data destruction.

Anonymizer: Installs a small toolbar into your browser. Moves your connection to proxies around the word. Slows connection. Spoof your IP address without installing software. The paid version is much faster.

SpeedFan: Allows you to see your CPU temperature. Good for overclockers and modders.
Motherboard Monitor: Like speedfan, reads temperature and fan RPM data – alerts you when there’s trouble.
Si Meter: Great/free/small application that does live monitoring on system resources.
TDIMon: Lets you monitor TCP and UDP activity on your local system.
InterMapper: Gives a visual in real-time view of traffic flows through and between critical network devices and links.
WinBar: A compact program that lets you monitor your system and provides easy access to frequently used controls.

RegSupreme: Clean up the registry from old entries, speed up your system. 30day trial.
RegSeeker: Very tiny – does not install. I have tested this and trust it. Many tweak options with it.
RegscrubXP: A great free registry cleaner for XP. Fix those “weird issues” with Windows.
Beclean: is the complete suite of system cleaner. Registry to history – cleans many things.
CCleaner: Removes unused and temporary files from your PC – allowing it to run faster, more efficiently and saving space.
MyUninstaller 1.0: Uninstall anything,clean out old video drivers, uninstall programs that are not in “add/remove”.
DriverCleaner: Made to fully clean out the drivers of ATI and NVIDIA.
MSconfig: Get rid of startup programs that slow your PC down. This would be for Windows 2000.
Starter: It’s better than Msconfig. Also works with Windows 2000, which is nice due to the fact that 2k doesn’t have msconfig.
PreFetch cleaner: A pre-fetch scrubber to clean out files that are used commonly – can be corruption or spyware hiding.

Belarc: Takes a snap-shot about a PC (hardware-software) with a full profile report. This is very handy.
SIW: A small .exe that when ran – gives you all kinds of info about your PC and software. Need this on your tools disk.
PcpBios: Very tiny script that looks at all BIOS related information. RAM, CPU and motherboard instant info.
EVEREST: (recently AIDA32). Like Belarc, gives full system summary of hardware and software/keys.
SpaceMonger: A tool for keeping track of the free space on your computer. It shows a graph of files and sizes.
IP subnet calculator: A diagnostics tool to calculate your network latency and subnet information.
CPUid: A very small application that tells you about your specific specs. (FSB, core clock, dual channel etc.).
PC Pitstop: A good site to check how your doing on fine tuning your computer. It will also help you fix your issues.
PowerMax: Diagnostics for hard drives made by Maxtor. Download, put on a floppy or CD and test your HDD.
MemTest86: Diagnostics for your RAM. Download, put on a floppy or Cd and test your RAM.
Monitor Asset Manager: A Plug and Play monitor information utility. Provide detailed technical information about the target display.
ShieldsUP: Port scanning of all ports or custom scans. See how good your firewall is doing.
BandwidthTest: Test your internet connection speed.

TweakUI: Perfect for somebody who really wants to customize there XP. Made my Microsoft
X-Setup: Like TweakUI but with more functionality and options. Very slick.
ResourceHacker: Get in and really tweak or fix Windows. Great registry GUI hacking.
RenameRecycleBin: I made this registry value in notepad, download/double-click/”yes”/throw away, rename your recycle bin.
Matrix Screensaver: Best (only) Matrix screensaver out on the web. Great options. Here is actual text (change name for you)
FOOOD’s Icons: Great free icons for XP. Default is boring.
Strokit: Advanced mouse gesture recognition engine and command processor.
ReForce: Windows 2k and XP have an issue with Hz in games. This will allow you to set all games at a specific Hz setting.
Keyboard Remapper: Remap your keyboard keys. Easy enough.
ClocX: Analog clock for the desktop.
Xpadder: Map your game pad or RC TX to keyboard keys. Wokrs great for customized controllers.
Alarm: A digital clock that you can set to display a message and play a sound at a time of your choice. AlarmClock
WeatherPlus: Display satellite images and video around the globe, stay updated on current and expected weather conditions.
Nlite: Remove or add Windows components to your Windows CD – for next time you re-install Windows.
AutoStreamer: Just like Nlite, this is specifically for adding Service Packs to your Windows install CD’s.
Digital Blasphemy: Probably the best wallpapers and images on the net.
Konfabulator: Engine that lets you run little files called Widgets that can do pretty much whatever you want them to.

File Recovery: This is free software made by PC Inspector. Really, Really nice if you lost or trashed a file and need it back.
Smart Recovery: Recover data from flash drives: CF, SM, Thumbdrives, micro drives – etc.
Disk Investigator: Discover all that is hidden on your computer hard disk, recover lost data.
File Scavenger: Undelete and data recovery utility for NTFS volumes. 64KB or smaller files can be recovered with free trial.
CDCheck: Utility for the prevention, detection and recovery of damaged files on CD-ROMs and error detection.
Restoration: Tiny program that doesn’t install. Perfect if you trashed a file (even emptied the recycle bin) and you need it back.
RecoverOutlookMail: A little trick for recovering those corrupted .PST files.

FireFox: Drop Internet Explorer and get a superior browser. Check out the add-ons.
Google Chrome: A great webkit based browser by Google. Very fast. *
Opera: If you don’t use FireFox, use Opera. Now that it is free and Ad-free – it is now recommended.
Safari: Apples web browser now for Windows. Great web browser next to Firefox.
Reload Every: Extension for FireFox. Allows you to set reload times on your browser windows so you won’t be logged out.

FileZilla: An FTP program that is superior to “Cute”, and is Free.
WinSCP: Open source SFTP client for Windows using SSH and SCP protocol’s. Secure FTP.
FireFTP: If you use FireFox browser (like you should be) – use this plug-in for FTP functionality in your browser.
Hamachi: Setup two or more computers with an Internet connection into their own virtual network for direct secure communication. How-to’s
FolderShare: Securely keep files synchronized between your devices and remotely download your files from any browser.
LogMeIn: Easy to log into a PC from a PC, MAC or linux machine. No port forwarding involved! Just like terminal services but easier.
Avvenu: Remote connect to your PC from another PC or any web-enabled handheld. Perfect for getting those files you forgot.
Crossloop: Secure screen sharing utility designed for people of all technical skill levels. Basically, TightVNC but no port forwarding needed.
TightVNC: Remote control software- see the desktop of a remote machine and control it with your local mouse and keyboard.
RemoteDesktop: Microsoft remote desktop client side installer for older Windows versions.
RDPortX: A small app I made to change the defualt 3389 port that Remote Desktop ueses. Great for multiple RD servers on the same network.
eMando: Client/server package which you can use to control and manage a computer over a LAN or the Internet.
DirectUpdate: Get an Email of your WAN IP address changes even behind a router (for dynamic ISP’s). 60day trial ($15.00 – buy).
DynDNS: A full list of dynamic IP administration software tools.

CDBurner-XP Pro: Just like it sounds, burning program for Windows. Free.
ImageBurn: A lightweight CD / DVD / HD DVD / Blu-ray burning application.
ISORecorder: Small program to burn images of CD’s. Once installed, right click an .ISO’s or a ROM drive and “create CD image”.
DeepBurner: A full featured Burning app for CD’s, DVD’s and ISO’s. Much like Nero only totally ~~Free


Tuesday, September 15, 2009

Malware Analysis Tools and Techniques

Malware Analysis Tools and Techniques

Apart from what guidelines have been published in various books and articles. My this post will summarize the overall manual and automated techniques to simulate and test the samples of malwares collected and their behavioral activities. To be noted that a "Malware" could be delivered in the form of trojan, virus or worm.

Manual Toolset
These tools require the collaboration of other toolset used in conjunction, to support depth analysis of a malware.

Foundstone BINTEXT
Malzilla (Analyzing Web-Based Malwares - JavaScript/iFrame)
HTTP Proxy Debuggers (Paros, WebScarab)
iDefense SysAnalyzer, HookExplorer and MAP (Malcode Analyst Pack)
SysInternals Tools
PEiD Tool (Very important to detect packers/compilers/cryptors)
GDB GNU (Linux)
SoftICE (Reversing)
IDA Pro (Reversing)
Salamander Decompiler (.NET Applications)
Reflector.Net Tool
DaFixer's DeDe (Delphi) REC
HeavenTools PE Explorer

Automated Online Tools
These online submission services automatically analyze the malware in a very restricted environment(simulate) and record their activites and produce results on the basis of various Anti-Virus/Malware detection.

Source: EthicalHacker.

Monday, September 14, 2009

Windows autorun may autoinfect

Nothing beats a USB port for convenience, whether you want to quickly transport a couple gigabytes of files for work, refresh the lineup on your MP3 player, or view the pictures from your recent trip to Boise. Unfortunately, USB ports also provide an overly convenient bridge for malware to creep from a portable media device onto an unsuspecting user's system. In fact, it seems nearly every client I visit these days has numerous computers carrying USB-infecting malware -- even trusted clients with otherwise stellar security histories. It's getting so bad that I'm scared to share USB keys with my clients.

The primary culprits here: Microsoft Windows' autorun and autoplay features for portable media devices (USB keys, USB hard drives, camera memory flash cards, and so on). To make users' lives easier, Microsoft coded Windows to seek and deploy autorun and autoplay files on removal media. A user connects his or her device, and the program it contains launches automatically, if so designed by the software developer. It's what allows a CD or DVD to start playing the moment it's inserted or a new software program's install routine to automatically commence.

[ Already infected by malware? Starting from scratch is the best course of action [1]. | Are you up to snuff in your security regimen? Get your defenses in tip-top shape with InfoWorld's Security Boot Camp [2], a 20-lesson course via e-mail that begins Sept. 21. ]

Unfortunately, malware writers have co-opted autorun and autoplay to spread rogue code. An unsuspecting user inserts a portable media device containing the code, which is often invisible to the casual user. The malware then uses autorun and autoplay -- and maybe the desktop.ini file -- along with the hidden core malware program to pull off the overall exploit. The malware can then go on to infect the computer and network using other vectors, such as network shares, password guessing, and normal infection vectors, or it can stick to infecting removal media devices. Either way, it's not a good thing.

My recommendation: Protect your systems and your network by disabling the autorun and autoplay functionalities and by educating users on how to manually launch any needed program. Disabling this functionality has become easier and easier with each new version of Windows. It can be done using Group Policy or registry edits. In many cases, you might have to install an additional software hotfix to get all the needed disabling functionality.

Specifically, to disable the autorun functionality in Vista or in Windows Server 2008, you must have security update 950582 installed (security bulletin MS08-038). To disable the autorun functionality in Windows XP, Windows Server 2003, or Windows 2000, you must have security update 950582, 967715, or 953252 installed. (See Microsoft's Web site [4] for more details. It covers what software fixes to install, if needed, and the related registry keys and group policies that can be configured.)

My friend Jesper Johannson has an excellent description [5] -- and solution discussion -- of the problem, which I highly recommend.

Even if you fix your computers, you have to be careful as to where you stick your USB device. It's truly similar to sex advice: You are sharing your USB device with every USB device that has shared the same port.

Of course, it doesn't hurt to run antimalware software, even if it isn't 100 percent accurate, configured to autoscan all autolaunching code or inserted media devices.

Also, if I share my USB key, I always look for any added autorun.inf, desktop.ini, or newly appearing executable files. I configure Windows Explorer to show all files (hidden, system, and registered extensions) so that any hidden files are shown. You can disable USB ports (or any devices or ports) physically or by using Group Policy, registry edits, or third-party software. Last, check all your removal media to make sure they haven't been silently infected and you aren't spreading the disease.

Practice safe computing and disable autorun and autoplay -- so we can go back to fighting Internet-based malware.

Are your network defenses feeling a little flabby? InfoWorld's Security Boot Camp will whip your IT operation into shape in next to no time. Get Roger Grimes’ advice delivered to your in-box in a special, four-week e-mail-only course. Sign up now [6].

* Security Central
* Malware
* Windows

Source URL (retrieved on 2009-09-29 12:18PM):


Source: Roger A. Grimes.

Thursday, September 10, 2009

Análisis forense de cola de impresión de Windows

Es posible recuperar el último archivo impreso en Windows y visualizarlo. Para realizar esta técnica es necesario saber el funcionamiento de la cola de impresión en Windows.

En el momento que se envía un archivo a imprimir, se crea un archivo de almacenamiento intermedio en formato EMF, donde se almacena lo que se envía a la impresora y las opciones de impresión, su extensiones son: *.SPL y *.SHD. Cuando la impresión finaliza, Windows borra estos archivos que se almacenan en:


Para hacer un análisis forense del último documento impreso, hay que usar un software de recuperación para obtener los archivos *.SPL y *.SHD.

Una vez recuperado estos archivos con la herramienta EMF Spool Viewer es posible: descifrar estos archivos, visualizar el último archivo impreso y obtener las propiedades de impresión utilizadas

Para la cronología de la escena podemos usar los metadatos del archivo o la fecha de eliminación ya que corresponde con la fecha de impresión. Esta técnica funciona para Windows NT/2000/XP/VISTA.

Más información y descarga de EMF Spool Viewer:

Más información sobre la cola de impresión y archivos EMF:

Autor: Alvaro Paz
Fuente: Guru de la informática

Monday, September 7, 2009

Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at,

A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a ”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.

After a bit of tinkering around, we saw that the PASSWORD field would be most suitable to shove a larger payload (bindshell). A quick replacement of the original “user add” shellcode with a secondary encoded egghunter – and a bind shell was presented to us! I wonder how long this 0day has been around…As Rel1k would say to logan_WHD…”it’s OK, it’s OK…”.

The exploit can be downloaded from BackTrack's exploit archive. To entertain the masses, they also made “Microsoft IIS 5.0 FTP 0 Day – The movie

Sunday, September 6, 2009

Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

A continuación va la receta de cómo llevar nuestras distribuciones de seguridad preferidas en una sola memoria USB/pendrive, todas funcionando correctamente.

307668780bec332e7ba Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Primero de todo nos descargamos las herramientas que necesitamos.

Una vez nos hayamos descargado PeToUsb iniciamos y procedemos a formatear la llave USB.

 Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Ahora nos pedirá confirmación:


Y aqui entonces nos avisa de que se eliminarán todos nuestros datos.


Entonces empezará el formateo:

 Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Cuando acabe el formateo nos saldrá un mensajito:

 Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Una vez tenemos preparado nuestro dispositivo vamos a instalar GRUB en él.

Abrimos la aplicación WinGrub que ya hemos instalado antes. Nada mas iniciarlo nos pedirá sobre que dispositovo USB instalaremos GRUB

 Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Ahora instalaremos GRUB en el USB.

 Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Ahora ya tendremos GRUB instalado.

Ahora cojeremos cualquier LIVE-CD y copiaremos su contenido en la raíz del USB.

Yo lo he echo con Backtrack.

Una vez hayamos copiado el contenido del CD dentro de la llave USB. Creamos un archivo en blanco que sea menu.lst

Dentro del archivo de configuración del Menú le ponemos como ha de arrancar la distribución en sí.

Ejemplo para backtrack:

title BackTrack 4
root (hd0,2)
kernel /boot/vmlinuz vga=0×317 ramdisk_size=6666 root=/dev/ram0 rw quiet

Con esto ya tendríamos el GRUB configurado.

Nota: Cada LIVE -CD se estructura normalmente con dos carpetas, una carpeta boot, y otra con el nombre de la distribución.

Si queremos poner mas de un LIVE-CD podemos renombrar la carpeta boot con otro nombre.

Ejemplo, backtrack4 le ponemos el nombre de bootbt4, kon-boot a bootkon y asi sucesivamente.

Si se cambia el nombre de boot, recordad de cambiarlo en el menu.lst también.

Yo por ejemplo ya he configurado mi grub y las distrubuciones que quería.

Me ha quedado algo así.


Y si lo ponemos desde mas cerca…


Y como veis podremos poner las distribuciones que queramos en nuestro USB.

Fuente: DragonJar.