Adobe – why are You still using it and how to replace it?

2013.10.05

If You not yet aware of, Adobe reported that sources of few of  most used applications on user’s desktops worldwide is stolen.

As a result, we definitely should expect wave of new 0days and more sophisticated attacks. If all previous history of Adobe products not convinced You to remove them from Your machine, I think this is a time 🙂

First of all – do You really need Adobe on Your [or You’re customers] machines?

For Flash: Many sophisticated streaming video services [Youtube as example] allow You to see it content without Flash, based on HTML5 technology for long enough. For others – well, You may consider usage of PepperFlash [same sources, originally]. You may download streaming files from bunch of services and watch them locally [VLC will help You out]. Or – not play games, decline to see ton’s flash ads and switch to non-flash alternatives of Your favourite services. Contact vendors, tell them – You not using Flash anymore.

For Acrobat Reader: You already have plenty of options to choose. Foxit, Nitro, Evince [my recommendations]. Yes, not all of them work with browser, not every application or webservice know to interact with them. Your PC – Your choice 🙂

OK, let’s start:

OS:

Windows:  Uninstall Adobe Flash and Adobe Acrobat Reader from Your computer and reboot.

Linux: use Your package manager. If You have no idea, what I am talking about – You should learn about system You using, bit more. But, for instance – in graphical mode You have Software Center in Ubuntu and PackageKit in Fedora. 🙂

But that’s not all!

Flash Player:

In Firefox You may even disable Flash or Block it execution on page, without Your permission.

To completely disable it: – Tools – Add-ons – Plugins – Choose Shockwave Flash Player and choose “Never Activate”. and then – restart the browser

To block it from execution: You may install nice add-on called FlashBlock, that will allow You to permit execution of Flash application once in a time. Here You still vulnerable, but now It’s totally Your decision, and not “good will” of person who create web page.

In Chrome You’ll need to disable internal Flash plugin.

Enter in browser address bar “chrome://plugins/” with no quotes, press enter and drill down till “Adobe Flash Player” brick will appear. Choose “Disable” and restart the browser.

In Internet Explorer You’ll need to go to Tools – Manage Add-ons and among add-ons find Adobe *, pick each one of them and click “Disable”, and then restart the browser.

Well, maybe after all those changes Internet became less familiar, bit more difficult to find suitable service, but definitely faster, and way more secure for Your specific computer.

Good luck!

D.L.

p.s. Suggestions, replacements and ideas – in comments, will add them with proper credit 🙂

Update1: thx  Mohab Ali for some fixes in text 🙂

Tags :   

List of compromised domains [2725] that spread RedKit EK.

2013.02.03

Hi all, folks.

Need Your help.

For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.

At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013

Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list 

Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.

Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.

In case Your website listed in here:

Removal instructions [for site\host\shared hosting services Owners]:

1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)

2. Clean  files attached in mod_rewrite.c section of .htaccess

3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return. 

Stay Safe!

D.L.

 

DNS switch as anti-forensics feature in Malware

2012.12.20

Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:

Have a look at code:

mk1

 

It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.

Interesting, I say 🙂 especially, if You do DNS cache review/passive DNS monitor for living 🙂

As I see, in this particular case, even if malware not succeeded  to switch DNS server, it continue to run.

So, our purpose is to prevent it from doing this.

How? … Group Policy!

Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable

Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.

In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.

Additional info about this piece of malware:

Size: 890 Kb

SHA: 72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f

VT: [18/45]https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/

Must see in comments to this file – analysis of binary done by @unixfreaxjp

Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here

Stay Safe

D.L.

 

 

Javascript include: from attacker to victim & how to check?

2012.11.19

Because of all that happened recently, let me be quick 🙂

Various soft present to automatically add text within webpages on compromised websites.

Those chain of samples for recent attack I followed 🙂

Step1:

Hacker intrude on poorly configured website: thru software flaw, poor configuration or stolen credentials.

Software (shell) uploaded to remotely manage such website, link written in database of compromised websites.

Step2:

Bundle of websites sent a command to add to each (or specific, default for example) page malicious code:

Sample1

Read more…

Facebook Malware Checkpoint

2012.07.15

Facebook announced the Malware Checkpoint – service for detecting malicious activity on user’s computers. Technical solutions provided  by Microsoft Security Essentials http://on.fb.me/infectedMSE  and McAfee’s Scan and Repair http://on.fb.me/infectedMcA .

Here is some overview of the process

Read more…

Egged WiFi – security review [v. 0.2]

2012.06.28

Today review results – improvement detected! 🙂 But…

Read more…

Tags :   

Google Chrome Extensions – 40% have vulnerabilities.

2012.03.01

Last week, University of California, Berkeley, released the paper by Nicholas Carlini, Adrienne Porter Felt, and David Wagner “An Evaluation of the Google Chrome Extension Security Architecture

Let me only add here a conclusion:

We performed a security review on a set of 100 Google Chrome extensions, including the 50 most popular, and found that 40% have at least one vulnerability. Based on this set of vulnerabilities, we evaluated the effectiveness of Chrome’s three extension security mechanisms: isolated worlds, privilege separation, and permissions. (p 12)

So, look at paper itself and, maybe, consider using something else, if you using Chrome 🙂

p.s. And  recommend to Your clients not to use Chrome as default browser…

 

 

Patch Your home & work before weekend starts

2012.02.16

New bulletin from Adobe released Yesterday, more then 10 security flaws were fixed, including few known in wild 0-day.
Also – Microsoft released new Security Bulletin as usual, many security patches.

Make sure You done with them, because reverse engineering tools already did 🙂

Prevent using SQLi to create shell\backdoor.

2012.02.11

Thx to this nice post for   Arvind Doraiswamy, here we have few tips of how to prevent someone from creating shell or backdoor script on Your system\website by using SQLi vuln.

Trivial, but well explained with pictures, IMHO must read for those who not familiar.

Here them, extended by me 🙂

1. Sanitize Your input, that included in SQL query, properly. See manuals, plenty of them in Internet

2. Don’t leave world writeable directories on Your webserver. If needed, know them (logs directories, etc), try to move to not web accessible or change web access to them (via .htaccess file or somehow else).

3. Use restricted user without FILE permission for querying the SQL. Use restricted account for running SQL as well (on MS machines, for example).

4. Disable default DB accounts, use passwords and password policies.

5. Securely manage not only worldwide accessible parts of Your website or webapp, but also restricted directories and functions. WebShell can be placed in Your Admin directory, and linked or by LFI included in  worldwide-accessible script.

 

PHP code review

2011.12.12

So many automatic tools for PHP code review, so almost forgot how to do it manually.

Looking forward to prepare manual of hands-on to PHP code review, looking for known, less known or possibly unknown (?) code vulnerabilities.

 

upd1: O!. looks like not only me thinking about going back to basics. Ryan Dewhurst from InfoSec – “Finding Security Vulnerabilities in PHP Using Grep”

Upd2: Now, when I look at it, there are some previous work done, but as usual – when someone start to make a review of what to look and how to look – someone point him to automatic tool that “do the job” like RIPS, and there it stops. 🙂 major result – less and less people who know what exactly they looking for, and more interesting – what they miss. )

p.s. actually, when You look at code itself, it overdue the language borders and differences. Already found few articles in Arabic with code examples, one Chinese forum with brightfull ideas (in open access and google-indexed, I am sure there are much more) and a lot of Russian articles (that one I still remember 🙂 )

 

Tags :