Thursday, September 27, 2012

Quick malware analysis during incidents

During security incidents due to malware infections, it is required to act fast and identify the malware behavior and take actions. However analyzing malware may takes time ,especially if considering that antiviruses cannot detect new well-crafted malwares.

To quickly analyses a suspicious file to identify if it a malware or not and understand its behavior, the following quick actions can be taken

1-upload the file to virustotal will check if the file detected by any of the antiviruses rather the one installed. In this case the antivirus vendor may contacted to produce a signature for the malware

2-upload the file to anubis and malwr
Both sites will analyze the file behavior and will indicate if it is a malware or not. Comparing results
Also the analysis will help taking necessary action such as removing the virus, blocking access to its C&C, produce IDS/IPS signature etc.

These 2 actions are very simple but when there is no time or tools in place remeber that these actions will be the last resort.

Sunday, September 16, 2012

C&C traffic , TOR network the new media

A new research by GData Software researchers, Identified a C&C server for a botnet hidden in TOR network.

Their blog is excellent where they described the 2 C&C traffic medias are being used by Botnets and the new media using TOR. I highly recommend reading it and establish an approach to detect and stop such traffic.

Enjoy reading:
Botnet command server hidden in Tor

Digital Forensics Procedure- Quick thought

Always follow a propoer Digital Forensics Procedure, many can be found on the internet but for guidance one of the following can be used:
SANS Digital Forensics and Incident Response Poster
Forensic Process Lifecycle

Always remober because you are responsible for an evidence, it means you have to show "chain of custody" by following proper procedure and protect the integrity of an evidence all the way to its dispostion.  

Thursday, August 30, 2012

Who is next in the shamoon queue?

like a nightmare, i have this thought:
  1. Company "X" in Qatar got infected
  2. remote offices of company "X" in another GCC state "H" got infected
  3. Service provider "A" managing the remote office became infected
  4. Same Service provider "A" managing few of the GCC state  "H" government entities became infected then infect other gov entities.
Of course it will be a chain of infections and network shutdowns.

Seems crazy, but think about it as if you are another state has serious issues with GCC and you already has the technology, the skills and the code. if you can do it 2 times then hardly you will be stopped.

Have a nice weekend.

Who was next to ARAMCO?

Answer: It is RASGas in Qatar whom has experienced virus outbreak, the computers network has been taken off for 3 days ,so far, by unknown virus. but let me guess, it can be shamoon or one of his cousins.
ARAMCO at KSA, RASGas at Qatar, will UAE be the next ? specially with remote offices around the GCC ?

However stopping or reducing the impact can be done by applying basics of the IT security as listed in the following blogs:
Stop Shamoon before it is too late
Making Life Difficult for Malware


Wednesday, August 29, 2012

Making Life Difficult for Malware

Making Life Difficult for Malware is presentation by Jarno Niemelä from F-Secure, it is very practical and i highly recommend it.

Jarno listed recommendations based on a research of the behavior data of ~750000 known malware. Most of the recommendations cost zero dollar and can be implemented easily by any type of organizations using minimal resources.

Enjoy the reading:
Making Life Difficult for Malware

Stop Shamoon before it is too late

Shamoon is striking in the middle east, it is attacking oil and gas companies, one Saudi company was the first, others  most probable in the queue and there is a potential for other types of orgnizations to be attacked, it is matter of time.

In this blog i will list actions can be taken,based on the malware analysis done by AV companies, to stop shamoon or at least reduce its impact. However for more details you may browse the following
Shamoon the Wiper - Copycats at Work
Shamoon the Wiper in details
Shamoon, Saudi Aramco, And Targeted Destruction
The Shamoon Attacks
I am listing two plans, short term plan and long term plan which requires budget and time

Short Term (The foundation):
For IT employees
All must be non administrators.
Use Remote Access Server between the IT network and servers at Data Center.
Always use "rus as administrator" and stop login as administrator for day to day support, operations or tasks.
Reset all admins passwords for servers,applications,databases network and security devices.
Never use default passwords or top worst passwords.
No shared accounts or passwords.

For non IT employees and desktop/laptops
Reduce the user privileges if any has an administrator access.
Block the removable storage if no device control in place.
If device control in place, stop all executable file.

Proxy or content filtering
Block the download of executable files, inf, bin, dll, conf and config.
Block access to network related to botnets, C&C and suspicious web servers.

Use VLANs to segregate network based on floor or department or business unit.
Implement a separate isolated IT management. same applied to mission critical infrastructure.

Remote users using VPN
Allow remote users to access certain resources , stop IP Any Any rules.

Remote offices
Only allow remote offices to access the resources they need, stop IP Any Any rules.

Security monitoring
Install any open source log collection.
Establish daily monitoring and analyzing security logs.

Long term (must be business risk based)
Implement SIEM solution.
Implement device control solution.
Implement two factor authentication solution for servers, network devices and critical infrastructure.
Implement network monitoring and forensics solution.
Implement Malware network analysis solution.
Establish a process to analyze, identify and detect attacks and shall be integrated into a security incident process , NIST computer incident guide can be used.
Establish Cyber Security Intelligence framework.

Time is ticking, they are advanced and using unique techniques, but you can make their attacks fail if proper security controls in place.

Tuesday, August 21, 2012

Build a practical Cyber Security Intelligence- quick thought

Stuxnet, Guass, Flamer, other malicious codes and unknown malware attacking organizations of all types, some we knew about and some we do not. But who is the next organization.

Today where threats are more advanced and ahead of protection technologies and methodologies each organization has to build some kind of Cyber Security Intelligence capability to stop or at least detect (in near real time) advanced threats attacking the organization.
Building effective Cyber Security Intelligence, first organizations must have a working risk management process and once Cyber Security Intelligence is established then it must be integrated in the risk management process.

Risk management will help identifying the Cyber Security Intelligence framework that can meet your organization business requirements and protect valuable assets.

So what can a Cyber Security Intelligence framework consists of? The following lists the components of the framework; it is not a full list but can be used as starting point

1.      Establish security monitoring, alerting and reporting infrastructure.
2.      Establish a security analysis procedure.
3.      Establish non published cyber security information procedure
4.      Follow up latest security tools
5.      Follow up latest security news, alerts and analysis 
6.      Follow up linkedin groups either security or groups related to your business
    1. Information Security and Risk management experts
    2. Aurora Cyberconflict Research Group
    3. Information Security Community
    4. Information Security Network
    5. ISF - Information Security Forum
    6. Reverse Engineering and Malware Research
    7. Malware Analysis
7.      Build malware analyzing lab
8.      Follow up underground forums

Of course not the entire list is required based on your business type and requirements.
Also you may need to have basic knowledge of other languages such as Arabic, Chinese, Russian, Farsi and Hebrew.
I will keep the list updated and later will detail how to incorporate all the above components, others and risk management.

Security Tools Updates, Free courses and web security testing platform-July - August 2012


A derivative of Back | Track 5, based on Ubuntu 12.04. Designed for users who wish to use only free software.

NetworkMiner 1.4 released

Samurai Web Testing Framework 2

The Samurai Web Testing Framework is a live Linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Free Computer Science courses with Khan Academy

Khan Academy is a free online learning resource with more than 3000 educational videos. Everyone is welcome to join any course or lesson on the site.


PowerShell for Penetration Testing, a collection of security scripts, enabling the use of PowerShell post exploitation.

NOWASP (Mutillidae)

Improve your Web Pen-Test Application skills using a free, open source web application provided to allow security enthusiast to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a web server. It is already installed on Samurai WTF and Rapid7 Metasploitable-2

Friday, April 27, 2012

Registry analysis in Volatility

Volatility is an excellent tool that can extract registry data out of memory dumps.
Using volatility will help confirming malware infection or identify how malware keeps its presentence
The “Top10 malware registry launch points” study done by Fsecure can be used as a starting point.

For example Volaility can be used as the following:
  • -f zeus.vmem printkey -K "Microsoft\Windows\CurrentVersion\Run"
  • -f zeus.vmem printkey -K "Microsoft\Windows\CurrentVersion\Runonce"
  • -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon
Addition to that the following can be used to identify malware:
  • -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\windows" --> check AppInit_DLLs entries
  • -f zeus.vmem printkey -K "Classes\.exe\shell\open\command"
  • -f zeus.vmem printkey -K "Classes\exefile\shell\open\command"
  • -f zeus.vmem printkey -K "Software\Microsoft\Command Processor\AutoRun"

Thursday, April 26, 2012

Assess your internet connection security

Have you ever thought about doing external penetration testing and but no budget available.

I suggest the following free online tools to determine how is your organization security. these online tools give you basic assessment and you need to do in depth penetration testing to make sure no security weaknesses can allow hackers into your network

Port Scanner
Web Tool Hub Online port scanner

Web applications and vulnerability scanners
Qualys FreeScan
Automated Security Analyser for ASP.NET Websites

Tuesday, April 17, 2012

Memory Forensics

As incident responder, you have to know how to conduct memory forensics .

All over the internet you can find many excellent articles, here I will list these articles in order to help new incident responders understanding and building memory forensics skills using volatility tool.

First, references you must keep with you all the time
Memory Forensics Cheat Sheet

List of tutorials

IETab_IE65 Malware Memory Analysis
Volatility Memory Forensics | Basic Usage for Malware Analysis
Zeus Analysis in Volatility 2.0Zeus Analysis in Volatility 2.0
Zeus v2 Malware Analysis - Part II
Stuxnet's Footprint in Memory with Volatility 2.0
Memory Forensics: Analyzing a Stuxnet Memory Dump (And you can too!) Volatility Memory Forensics | Basic Usage for Malware Analysis
Zeus Analysis in Volatility 2.0Zeus Analysis in Volatility 2.0
Zeus v2 Malware Analysis - Part II
Stuxnet's Footprint in Memory with Volatility 2.0
Memory Forensics: Analyzing a Stuxnet Memory Dump

I will keep the list updated with the best references and tutorials.

One Hour A Day Keeps Intrusions Away

In IT field, everyone is busy and forget about checking IT infrastructure security, by spending almost one hour daily, IT or security administrators will be able to prevent intrusions or at least detect them before it is too late.

All you need is to have reports generated from security tools in place for example antivirus, proxy, content filter, intrustion prevention systems, etc.. what about firewalls, if no log and reporting tool in place splunk (freeware) or OSSIM (opensource) can be used to generate required reports.

Addition to reports, you have to subscribe to one or more security alerts and news letters.

So how can we spend that hour daily ? simply the following can be done
  1. Based on Antivirus reports
    1. Review the top 5 infected computers
    2. Review the top 5 viruses infections
  2. Based IPS/IDS reports
    1. Review  IPS/IDS report top 5 source of attacks
    2. Review IPS/IDS REPORT top 5 targets of attacks
  3. Based on Proxy or content filtering reports
    1. Review top 5  visited web sites
    2. Review web links visited during non working hours or during week ends
    3. Review suspicious web links.
  4. Based on Firewall ports
    1. Review top 5 blocked ports
    2. Review top 5 blocked internal IP addresses
    3. Review accessed external ports (UDP/TCP)
  5. Search for posted information about your entity
  6. Search for unknown web defacement happened to your web server
  7. Review security news letters and alerts
Soon i will add more details about what to look for and how to identify possible or potentail intrusions or weaknesses.