02.18.07
Posted in IT, Tools, Uncategorized at 6:33 am by Tyler Reguly
A couple of years ago I posted a tip on a forum I frequent on how to disable debug mode with VMWare Betas. It's recently come to my attention that not everyone who uses VMWare is aware of this ability, so I thought I'd share the tip once again.
VMWare Betas ship with debugging information turned on, the idea being that you can report any problems back to VMWare. The problem is that debugging information turned on means a decrease in performance.
To disable debugging under Linux:
cd /usr/lib/vmware
mv bin-debug bin-debug.bak
mkdir bin-debug
cd bin
cp vmware-vmx* ../bin-debug
To disable debugging under Windows:
Browse to your installation directory.
Rename bin-debug to bin-debug.bak
Create a copy of bin
Rename the copy of bin to bin-debug
You'll now have the option to disable debugging in your VM Options.
Permalink
Digg this post
02.07.07
Posted in IT, Security, Uncategorized at 4:03 am by Tyler Reguly
Over at 360 Security (Formerly The VERT Daily Post), Graver has been providing write-ups on the events at RSA... One of these posts is a true tribute... providing either a Tip of the Hat or a Wag of the Finger to various vendors present at RSA. He's also provided a theory on how hackers can out number security vendors.
Permalink
Digg this post
02.05.07
Posted in IT, Linux, Operating Systems, Uncategorized at 11:57 pm by Tyler Reguly
Many people have probably already seen this... (since it made the front page of digg) but if you haven't here you go...
http://www.loconet.ca/?p=64 (Linux over the Vista logo in a Toronto Subway Station)
Permalink
Digg this post
01.31.07
Posted in Daily Link List, Uncategorized at 7:56 am by Tyler Reguly
One of the websites in my RSS feed that I really enjoy is LinuxSecurity.com. The site compiles outside links from various news sources and presents some of the more interesting ones on a single page... however it's not without issues... From the RSS feed, you are constantly getting "Page Not Found" errors... and you have to return to the main page to click the link for the article.
Anyways I was over there looking today and I found some rather interesting articles available:
Stompy Session ID Analyzer -- This is a great concept... I haven't tested it yet so I can't quite say great tool. People quite often create their own Session IDs... this will let you see if they're based off anything.. or if there's a pattern available... Download Link (tgz)
AJAX Fingerprinting Web 2.0 -- Another great concept... As people move to this new world of Web 2.0 applications are being built on frameworks... GWT, PyJamas, ASP.NET AJAX, etc... More often than not when these frameworks are flawed... the applications based off them will also be flawed. The concept of AJAX fingerprinting gives us:
Ajax fingerprinting can help in deriving the following benefits:
- Vulnerability detection – Knowledge of the framework on which a web application is running, allows the mapping of publicly known vulnerabilities found for that particular framework. Example – DWR client side vulnerability.
- Architecture enumeration – On the basis of derived information from fingerprinting it is possible to guess application architecture and inner working of a system. Example – Atlas (.NET application framework), DWR (Servelet/JavaScript combo).
- Assessment methodology – Derived information from the fingerprinting phase can help in defining future assessment path and vulnerability detection methods. Example – Deciding on JavaScript-scanning.
Download Link (pdf)
These last two are just news articles...
2006: The Year Hacking Became a Business
Vulns Spiked 39% in 2006 according to an IBM ISS report.
Permalink
Digg this post
08.14.06
Posted in IT, Security, Uncategorized, Vulnerabilities at 1:29 am by Tyler Reguly
For those of you that haven't patched yet... a worm (a variant of MocBot or a 'new' virus according to MS named Graweg) is circulating for MS06-040... it's fairly standard.. exploit, install a service.. service connects to IRC to wait out commands..
LurHQ has a great analysis of the virus
| quote: |
| Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread. Since it is fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary anti-virus writeups and signatures.
Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.
Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040. Primarily Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems.
This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.
Mocbot can also use AOL Instant Messenger to send instant messages using the victim's account. This could be a potential vector to allow the controller to trick users into downloading and executing the bot from an external URL, allowing it to penetrate firewalls like any other file downloaded over HTTP. Once inside a network, it could then spread using the MS06-040 exploit to vulnerable internal systems over TCP port 445. This underscores the danger of allowing unrestricted external instant messaging in a corporate environment, as it often introduces malware directly to users, bypassing perimeter controls.
At the time of this writing, anti-virus detection is not especially broad, with only 1/3 of all anti-virus engines tested reporting the file as malware or flagging it as suspicious. None of them recognize it as a Mocbot variant. |
They also have snort signatures available on their site which they've submitted to bleeding snort.
The MSRC blog is reporting this:
| quote: |
| Hey everyone, it’s Adrian. Wanted to drop in and let you know where we are in our investigation of Win32/Graweg. As I’m sure you’ve seen by now on our AV partner sites, this is rated as a low threat and doesn’t at this time replicate automatically from machine to machine. So it’s impact in terms of infection base appears to be extremely small. We’ve updated the security advisory related to MS06-040. What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions. We urge everyone to apply the update however, and should the situation change we will post more information and guidance as it becomes available. |
Keep the bolded portion in mind as you read this next writeup (the original from ISC):
| quote: |
| Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory. While technically a botnet, it was spreading in a worm like fashion. |
Microsoft has updated Advisory 922437 due to this activity.
My current goal is to obtain a copy of this worm for further analysis and to play with (I have a few cool ideas to log data) so if anyone has it come across could you please quarentine a copy and send it my way... ht[at]computerdefense.org
Peace,
HT
Permalink
Digg this post
05.30.06
Posted in IT, Linux, Operating Systems, Uncategorized at 8:54 pm by Tyler Reguly
So we've had some new releases in the Linux world lately.... Among these have been SuSE 10.1 and Backtrack 1.0 Final... And shortly we'll have a new Ubuntu as well...
As you're all free to visit the associated websites and find details, I won't spew too many (Not just yet anyways... I'm planning a full review of Backtrack in the future).
However, in the mean time... to help these great people conserve their bandwidth (Although, I'm sure Novell doesn't need the help), I've decided to mirror the software here..
Download Backtrack
Download SuSE
Peace,
HT
Permalink
Digg this post