Google Safe Browsing Diagnostic

Today i read about Google Safe Browsing Diagnostic report, and it's really interesting.

Google is providing a security diagnostic report about web sites, where they give:

*What is the current listing status for [the site in question]?

We display the current listing status of a site and also information on how often a site or parts of it were listed in the past.

*What happened when Google visited this site?

This section includes information on when we analyzed the page, when it was last malicious, what kind of malware we encountered and so fourth. To help web masters clean up their site, we also provide information about the sites that were serving malicious software to users and which sites might have served as intermediaries.

*Has this site acted as an intermediary resulting in further distribution of malware?

Here we provide information if this site has facilitated the distribution of malicious software in the past. This could be an advertising network or statistics site that accidentally participated in the distribution of malicious software.

*Has this site hosted malware?

Here we provide information if the the site has hosted malicious software in the past. We also provide information on the victim sites that initiated the distribution of malicious software.

This service is very useful and is similar to McAfee Site Advisor, you can check an example report for doubleclick.net here where in the past malware was detected.

This report is what google knows about the security of a site, better said the potential security risks that you can find in a site.

You can access this service via the website, or via Firefox "additional information"

More information in the Google blog

-CMM

Zerowine: Malware behavior analysis

Here is a new project aimed to dinamically analyze the behavior of malware. The twist here is that Zerowine will run the malware sample using WINE in a safe virtual sandbox collecting information about the API's called by the sample.

Zerowine is distributed as a QEMU virtual machine with a Debian OS. In the virtual machine is installed Zerowine with a web interface to upload malware samples, check the status of the analysis and finally to present the report.

Here are some screenshots:

Project page: Zerowine

Enjoy

-CMM

Yara Malware Classification tool

A new Malware classification tool is on the block, YARA is a tool aimed at helping malware researchers to identify and classify malware samples. 

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts using the yara-python extension.

Project page: http://code.google.com/p/yara-project/

-CMM

IE7 0day

Hi we open the year with a guest post from Vicente Diaz, he will participate with guest posts during this new year 2009, Welcome Vicente!

Last vulnerability in Internet Explorer 7 was a bad one, affecting all previous versions and giving little time to patch it since malware started to take advantage of it. As explained in my post at S21sec´s blog (spanish), the vulnerability was used in a massive SQL injection campaign along many other vulnerabilities affecting Real Player, Adobe Acrobat and MS Office among others.

The discovery of the vulnerability seems to be in China, rounding the dark market by mid November, but the disclosure was after MS patching Tuesday during December. However, the question of HOW it was discovered has not an easy answer ... I was reading about this at Microsoft´s blog and it is not clear at all. Even using SDL this vulnerability is not easy to spot, much more difficult without having the code (as I assume). There is not much room for fuzzers (but they might be useful), and not likely to happen just by chance, so it seems someone really took bug finding in IE 7seriously.

You see these vulnerabilities appearing from time to time, but when you stop to think about this, is really amazing. As guys at MS say, bad guys have all time in the world to look for vulnerabilities but developers have tight deadlines and limited resources. This is true, and this makes necessary the use of several layers for security, but my final thought is that bad guys are going really professional, so we still have a lot of work to do to stop them.

-CMM

Flash movie analyzers

Here is an online tool that perform an analysis of a Flash movie, this is very interesting for analyzing potential malware movies:

Adopstools

Another tool is the WepaWet, this one handles Flash and Javascripts files:

http://wepawet.iseclab.org/

Here we can find some interesting tools like the SWFdump and SWFstrings:

Swftools.org

Also here is an interesting post, on analyzing Flash:

Pentphase.de

Thanks to Vicente for the links

Enjoy

-CMM

Malware Hash registry

Team Cymru has launched a look-up service that allows you to query their database of many millions of unique malware samples for a MD5 or SHA-1 hash of a file.

The service is free for non-commercial use.

The results of the query, will output the date the sample was first seen, and the detection rate of 30 AV engines.

Also you can cross check with the www.virustotal.com engine hash check option

More information HERE

-CMM

Shellcode2Exe

Here is a tool that could be handy when you stumble with a shellcode, and you want to create a binary to analyze with a debugger:

Shellcode2Exe

Just paste the shellcode and click submit, right now supports 3 types of shellcode:

1) %u urlencoded IE shellcode payloads
2) \x style C strings
3) raw hex strings with no spaces ex. 9090EB15

It's based on a tool that you can find in the Malcode Analyzing Pack from Idefense

Thanks Vicente for the tip

-CMM

Memoryze - Memory forensic tool

Jamie Butler presented at HITB 2008 the tool Memoryze, intended to aid incident responders find evil in live memory.  

"Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis."

Memoryze site

Here are some Use cases

-CMM

Displaying Windows cached DNS entries

This is a super fast post, here is an interesting command for checking the cached DNS entries in a Windows system:

c:>ipconfig /displaydns

slashdot.org
----------------------------------------
Nombre de registro . : slashdot.org
Tipo de registro . . : 1
Período de vida . . . : 2117
Longitud de datos . . : 4
Sección . . . . . . . : respuesta
Un registro (host). . : 216.34.181.45


This could be useful when analyzing malware or doing forensic analysis

CMM

Ecrime - New mafias

This time my partner Vicente gave a great talk about the Cyber Mafias in the FIST Conference. Tha talk was an overview on how they operate, the money they manage, and some techniques they use.

It's a very interesting talk for everybody, because it's not a topic that you can find much information about..

The presentation is more interesting with Vicente's speech and comments, but you can download the presentation from the FIST Conference page, or from here Edge-Security site.

Enjoy