Feb 23, 2011

Secure Erase

This summarize the article from Craig Wright. He is a Director with Information Defense in Australia.

In the article, Erasing drives should be quick and easy, he shows us a way to perform secure erase. Also he stated a few FUD on data recovering like:

  • X-Ray machines and scanners will erase a drive;
  • SEM or AFM (electron microscopy will do) could be used to recover data;
  • Government or NSA can read your wiped drives;
The simplest manner to wipe hard disk is using the the firmware Secure Erase command on an ATA, SATA, PATA, etc drives. A full erase using SE takes 30 min to 1 hour to complete. Basically it is quick. It is non-recoverable. It saves all the BS. It removes the need for the FUD that still surrounds us.

Here's the steps to wipe a drive using hdparm utility:

  1. Login as root.
  2. Ensure the drive isn't security frozen (result shows "not frozen"): hdparm -I /dev/sda
  3. Issue command by set user password, Security =Maximum (Master Password = Blank): hdparm --user-master u --security-set-pass Eins /dev/sda
  4. Issue command to confirm the process with the the word "enabled" in the output: hdparm -I /dev/sda
  5. Issue the AT SE command: hdparm --user-master u --security-erase Eins /dev/sda
  6. Issue command to ensure output verification return "not enabled": hdparm -I /dev/sda

References:
  • http://sourceforge.net/projects/hdparm/
  • http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
  • https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Feb 17, 2011

Multiple IP Addresses with Windows OS

Here's the batch script to help configure multiple IPv4 addresses on a Windows 7 or Windows 2008. Create a batch file like the below:

netsh in ip add address "eth0" 10.0.0.2 255.0.0.0
netsh in ip add address "eth0" 10.0.0.3 255.0.0.0
netsh in ip add address "eth0" 10.0.0.4 255.0.0.0
netsh in ip add address "eth0" 10.0.0.5 255.0.0.0
netsh in ip add address "eth0" 10.0.0.6 255.0.0.0
[...]
netsh in ip add address "eth0" 10.0.0.226 255.0.0.0

Or just do a command like:
for  /L %a in (1,1,254) do netsh in ip add address "eth0" 10.0.0.%a 255.255.255.0

Feb 12, 2011

Windows Security Event ID

A very good reference for Windows Security Event ID: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Analyzing Suspicious PDF Files With PDF Stream Dumper


Analyzing Suspicious PDF Files With PDF Stream Dumper: "
Targeting a vulnerability in Acrobat Reader is one of the more popular ways of compromising systems nowadays. PDF Stream Dumper is a free tool for analyzing suspicious PDF files, and is an excellent complement to the tools and approaches I outlined in the Analyzing Malicious Documents cheat sheet.

For this introductory walk-through, I will use a malicious PDF file that I obtained from Contagio Malware Dump. If you’d like to experiment with this file in an isolated laboratory environment, you’re welcome to download the malicious PDF from my server; the password to the zip file is the word “infected”.

PDF Stream Dumper is a self-contained program that runs on Microsoft Windows and contains a convenient graphical user interface. The tool contains numerous features. I will only touch upon some of them here.

Examining a PDF File for Suspicious Characteristics

After installing PDF Stream Dumper, load the suspicious PDF file into it and start looking around. The tool includes a number of signatures of known PDF exploits. To scan the file, select “Exploits_Scan” from the menu:



In this case, PDFStreamDumper identifies the exploit and specifies where it’s present in the PDF file:


Exploit CVE-2007-5659 - collectEmailInfo - found in stream: 31


You can use the left pane of the tool to navigate through the file’s objects to examine their contents. The tool will decode steams where necessary. For instance, viewing the steam in object 31 shows us embedded JavaScript:



Another way to locate suspicious objects within the PDF file is to use the tool’s “Search For” feature, which can automatically locate JavaScript, Flash objects among other entities:



Examining Malicious JavaScript in the PDF File

When looking at JavaScript embedded in a PDF object, we can click the “JavaScript_UI” button to bring up the interactive JavaScript viewer and interpreter, which is built into PDF Stream Dumper:



Sometimes, the scripts embedded into PDF files are obfuscated. PDF Stream Dumper allows you to run these scripts using the built-in interpreter, which can help you deobfuscate them.

In the example we’re examining now, the script isn’t obfuscated. It seems to contain Unicode-encoded text, which is probably shellcode:



Examining Shellcode Embedded in the PDF File

Shellcode is typically used to store the payload of the exploit—the malicious code that will be executed on the victim’s system. PDF Steam Dumper provides several tools for understanding the capabilities of the shellcode embedded into the file though its “Shellcode_Analysis” menu.



For example, we can select “scSigs” to emulate the execution of the script using the built-in LibEmu engine and look for signatures of the API calls often present in shellcode:



The tool recognizes the signatures of WriteFile and WinExec. This shellcode probably uses these calls to save and execute a malicious windows executable, which it might download from the Internet or which might be embedded into the PDF file itself.

We can get another perspective on the shellcode by running it using the built-in iDefense shellcode logger module “sclog”:



The tool shows us that the shellcode executes the GetFileSize API call. This is often used as part of malicious document files to locate code embedded into the file. Most likely, this shellcode uses GetFileSize to locate the malicious executable embedded into the PDF.

We now are reasonably certain that we’re dealing with a malicious PDF file that exploits the CVE-2007-5659 vulnerability in Acrobat Reader to extract and run a malicious executable embedded in the PDF. We’d need to perform additional steps to extract and examine that executable, but that is outside the scope of this brief note.

If you like analyzing malicious programs, take a look at the Reverse-Engineering Malware course I teach at SANS. If you’re just getting to know malware, you might also like my Combating Malware course.

Lenny Zeltser

Feb 3, 2011

How to hack a Marathon?

I never try it yet.

I read this article, How to hack a marathon if you aren’t a runner, and found that it is very interesting. The author managed to finish the marathon in 4 hours and 28 minutes without training.

Here's how he hacked it:
  1. Don’t plan on running the whole thing
  2. Take 4 Advil an hour before the race (Not recommended by physicians, but it’s what we did.)
  3. Take a walking break at every mile marker
  4. Eat half a banana whenever you see one
  5. Take two waters at ever water station
  6. Eat no more than 3 Gu energy packs because our stomachs didn’t like them
  7. Take bathroom breaks
  8. Walk every hill
  9. Meet interesting people and use conversation to kill the pain
  10. Put bandaids on your nipples to prevent bleeding

Feb 2, 2011

How much time it takes to download a 2GB MKV file?

We all like to download MKV (or other format) movie files. Here's a smart hack on calculating the time it takes to download a 2GB MKV file.

The download speed depends on the ADSL line speed you subscribe. For example:

  • Your file is 2GB size.
  • Your link speed is 2Mbps.
  • You are estimating 80% link speed, to account for the network overhead.
So, goto Google search and type this:
2GB / ( 2Mbps * 0.8)

The result shows it is estimating 2.85 hours to complete the download.

See other examples at http://stuffphilwrites.com/2011/01/long-image/

Feb 1, 2011

10 Advanced GMail Search Examples

1. Example: in:inbox label:facebook is:unread
(Search for all unread emails labeled facebook inside inbox.)
2. Example: in:anywhere from:peter
(Search for all emails regardless where it’s stored (spam, inbox, trash) received from anyone with the name Peter.)
3. Example: is:unread after:2010/06/01 before:2010/07/01
(Search for all unread mails for the month of June. )
4. Example: from: peter@emailadress.com has:attachment
(Return all emails with attachments sent by peter@emailadress.com)
5. Example: in:inbox "meeting"
(Search inbox for any emails with the keyword "meeting" in it.)
6. Example: from:peter@emailaddress.com has:attachment filename:zip
(Return only emails received from peter@emailaddress.com with .zip attachments.)
7. Example: "facebook" -from:@facebookmail.com
(Return all emails with the keyword "facebook", excluding those sent by facebook.com)
8. Example: to:peter OR cc:peter
(Return all emails sent to or carbon copied Peter.)
9. Example: label:google OR from:@google.com
(Return all emails received from google.com or labeled "google".)
10. Example: "meeting" is:chat
(Return all chat log files with keyword "meeting" in it.)


Read more: Gmail Advanced Search - Ultimate Guide http://www.hongkiat.com/blog/gmail-advanced-search-ultimate-guide/