sexta-feira, 27 de agosto de 2010

ISSA Day Julho com Conviso falando Blackhat/Defcon/B-Sides

O Capítulo Brasil da ISSA convida a todos os interessados a participar do ISSA Day de Agosto 2010.
O evento é gratuito e aberto a qualquer interessado e tem o apoio da empresa Conviso IT Security.
Conviso IT Security
Data: 31 de Agosto de 2010, das 19:00h às 22:00h
Agenda:
19h00 – Credenciamento,
19h30 – Palestra da ISSA - Por que ser ISSA?
20h00 – Abertura falando sobre a Conviso.
20h15 – O processo de segurança em desenvolvimento, que não é ISO 15.408
21h00 – Palestra sobre a Black Hat e Defcon
21h45 – Sorteio de Treinamento Conviso e Encerramento – Com HH
Local:
Bar Genoino.
Rua Joaquim Távora 1217,  Vila Mariana – São Paulo – SP

Para se inscrever: http://www.issabrasil.org/2010/08/24/issa-day-agosto-2010/

Estarei lá certamente =)!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

quarta-feira, 18 de agosto de 2010

Updated some info for SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

Virus Total Public API will make my live much easier . Look previous post about it http://spookerlabs.blogspot.com/2010/08/virus-total-public-api.html .

Some results really surprised me . Take a look and do your all conclusions .

Best AntiVirus to detect SET Malicious PDF (higher is better):

      7  "Sophos"
      7  "Microsoft"
      7  "GData"
      7  "F-Secure"
      7  "F-Prot"
      7  "ClamAV"
      7  "BitDefender"
      7  "Avast5"
      7  "Avast"
      6  "Sunbelt"
      6 "nProtect"
      6  "McAfee-GW-Edition"
      6  "eTrust-Vet"
      5  "Symantec"
      5  "PCTools"
      4  "eSafe"
      3  "NOD32"
      3  "Kaspersky"
      3  "Ikarus"
      3  "Emsisoft"
      3  "Antiy-AVL"
      2  "McAfee"
      1  "VBA32"
      1  "Panda"
      1  "AVG"
      1  "Authentium"
      1  "AntiVir"
      1  "AhnLab-V3"


Missed PDF detection for SET malicious PDF's (higher is worst) :

      7  "VirusBuster"
      7  "ViRobot"
      7  "TrendMicro-HouseCall"
      7  "TrendMicro"
      7  "TheHacker"
      7  "SUPERAntiSpyware"
      7  "Rising"
      7  "Prevx"
      7  "Norman"
      7  "Jiangmin"
      7  "Fortinet"
      7  "DrWeb"
      7  "Comodo"
      7  "CAT-QuickHeal"
      6  "VBA32"
      6  "Panda"
      6  "AVG"
      6  "Authentium"
      6  "AntiVir"
      6  "AhnLab-V3"
      5  "McAfee"
      4  "NOD32"
      4  "Kaspersky"
      4  "Ikarus"
      4  "Emsisoft"
      4  "Antiy-AVL"
      3  "eSafe"
      2  "Symantec"
      2  "PCTools"
      1  "Sunbelt"
      1 "nProtect"
      1  "McAfee-GW-Edition"
      1  "eTrust-Vet"

As we can see lot of AntiVirus missed all PDF from SET what is a big problem for companies . Some AntiVirus have some methods that VirusTotal doesn't emulate and possible those methods could detect them .

I'll do a big analysis against all my pdf's and share the results .

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

terça-feira, 17 de agosto de 2010

Virus Total Public API

Today I started to play with Virus Total Public API http://www.virustotal.com/advanced.html

My initial idea was to send files using command line and get the results quickly so I don't need a web browser and spend time uploading the file .

I read their inital samples/docs and build a mix of codes using python (most retrieve from their samples) and perl (only language I can try somehting) . By now what I have :

$ perl vt-auto.pl /LABS/pdf-basics/samples/AdamSamples/15

Sending file /LABS/pdf-basics/samples/AdamSamples/15 to Virus Total ...
Response from VT with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Waiting 120 seconds to wait file /LABS/pdf-basics/samples/AdamSamples/15 be scanned ...

Sending request fo Virus Total about /LABS/pdf-basics/samples/AdamSamples/15 with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Report Results for /LABS/pdf-basics/samples/AdamSamples/15 :
"nProtect": "Trojan-Exploit/W32.Pidief.16718.AV"
 "CAT-QuickHeal": ""
 "McAfee": "Exploit-PDF.b.gen"
 "TheHacker": ""
 "VirusBuster": "JS.Crypt.BSP"
 "NOD32": "PDF/Exploit.Pidief.AUT"
 "F-Prot": "JS/Psyme.HU"
 "Symantec": "Trojan.Pidief.D"
 "Norman": "JS/Shellcode.GS"
 "TrendMicro-HouseCall": "TROJ_PIDIEF.ADY"
 "Avast": "JS:Pdfka-PO"
 "eSafe": "PDF.Exploit.2"
 "ClamAV": "Suspect.PDF.ObfuscatedJS-5"
 "Kaspersky": "Exploit.Win32.Pidief.aut"
 "BitDefender": "Exploit.PDF-JS.Gen"
 "ViRobot": ""
 "Sophos": "Mal/PdfEx-C"
 "Comodo": "TrojWare.Win32.Exploit.Pidief.aut"
 "F-Secure": "Exploit.PDF-JS.Gen"
 "DrWeb": "Exploit.PDF.166"
 "AntiVir": "EXP/Pidief.JX"
 "TrendMicro": "TROJ_PIDIEF.ADY"
 "Emsisoft": "Exploit.Pidief!IK"
 "eTrust-Vet": "PDF/Pidief.IQ"
 "Authentium": "PDF/Obfusc.D!Camelot"
 "Jiangmin": ""
 "Antiy-AVL": "Exploit/Win32.Pidief"
 "Microsoft": "Exploit:Win32/Pdfjsc.AS"
 "SUPERAntiSpyware": ""
 "Prevx": ""
 "GData": "Exploit.PDF-JS.Gen"
 "AhnLab-V3": "PDF/Shellcode"
 "VBA32": ""
 "Sunbelt": "Exploit.PDF-JS.Gen (v)"
 "PCTools": "Trojan.Pidief"
 "Rising": ""
 "Ikarus": "Exploit.Pidief"
 "Fortinet": ""
 "AVG": "Exploit"
 "Panda": ""
 "Avast5": "JS:Pdfka-PO"

Detection : (31/41)

I'll improve and fix the code so I can share because now it's impossible . That 120 seconds that I wait is just to make sure that the scan will finish before I try to retrive the results but sometimes depending on file size it'll probably fail .

Nice resource from VirusTotal Team , congratulations!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

segunda-feira, 16 de agosto de 2010

SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

Since Social Engineer Toolkit aka SET is being using in the wild I solved to create their pdf’s and tests against AntiVirus Vendors and against  new detection scoring based on Spiderlabs Research .


  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Written by David Kennedy (ReL1K)          [---]
  [---]                 Version: 0.6.1                   [---]
  [---]            Codename: 'Arnold Palmer'             [---]
  [---]     Report bugs to: davek@social-engineer.org    [---]
  [---]        Java Applet Written by: Thomas Werth      [---]
  [---]        Homepage: http://www.secmaniac.com        [---]
  [---]     Framework: http://www.social-engineer.org    [---]
  [---]       Over 1 million downloads and counting.     [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
   
             Follow me on Twitter: dave_rel1k

       DerbyCon 2011 Sep29-Oct02 - A new era begins...
                  http://www.derbycon.com


Select from the menu on what you would like to do:

1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7   Update the Metasploit Framework
8.  Update the Social-Engineer Toolkit
9.  Help, Credits, and About
10. Exit the Social-Engineer Toolkit

Enter your choice: 1


1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1

1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow

7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Enter the number you want (press enter for default):

1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)

Enter the payload you want (press enter for default):

* All payload 1 – Windows Reverse TCP Shell with port 2345


1. Adobe Flash Player 'newfunction' Invalid Pointer Use

http://www.virustotal.com/file-scan/report.html?id=377ba41782bbeb25c9816d76ec190fb6f4b88c7bbaecc26653a4a6ecc479f3ea-1281835639

File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)

$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf

flashplayer-newfunction.pdf Malicious PDF Detected


2. Adobe Collab.collectEmailInfo Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=a4ac73a6efee530a05ea05eeeaa3d8efc137e4eb3bcf4d492c2b318264da2f77-1281836155

File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)


$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf

collab-collectEmailInfo.pdf Malicious PDF Detected

3. Adobe Collab.getIcon Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=631893cd75bcf60ec82a3f59d3bd3f7f166874641a4ed62ceee28852889ec6e2-1281836494
File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)

pdf-analisys.pl -s1 -f collab-getIcon.pdf

collab-getIcon.pdf Malicious PDF Detected


4. Adobe JBIG2Decode Memory Corruption Exploit

http://www.virustotal.com/file-scan/report.html?id=814f20d28de287e76dbfacb14d90dbfab8e0b1e11e16212b88ca3216f2189117-1281836756

File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)


$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf

JBIG2Decode.pdf Malicious PDF Detected

5. Adobe PDF Embedded EXE Social Engineering

http://www.virustotal.com/file-scan/report.html?id=484ba7800fd549b82b6ac4dab5100f3017a0995cc47be13977703a168d1bcef3-1281837936
File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)

$ pdf-analisys.pl -s1 -f embeddedfile.pdf

embeddedfile.pdf Malicious PDF Detected

6. Adobe util.printf() Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=99e01802391f77c5c93cdf52cb2eacb5673e6acf7ac90776d477948a7fa1222d-1281838414

File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)

$ pdf-analisys.pl -s1 -f utilprintf.pdf

utilprintf.pdf Malicious PDF Detected


8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

http://www.virustotal.com/file-scan/report.html?id=0ce18c65373f113916b108508b3afc481e460f77353d1e3ddd259dbd29bab5a1-1281838713
File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)

pdf-analisys.pl -s1 -f U3D.pdf

U3D.pdf Malicious PDF Detected


Clamav Results

collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1

* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .

Virus Total Results

Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)

Average Detection: 14,85 / 42 or 35,37%


Top5* AntiVirus Results

* Top5 antivirus based on most common names not in detection rates

** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun



Scoring System Results 

collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected


We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .

Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .

Regards,

Rodrigo "Sp0oKeR" Montoro

quinta-feira, 5 de agosto de 2010

Pic from Vegas/Blackhat/Caesar

Only picture with part of Brazilian friends in Vegas in front of Caesars after Blackhat 2010

Mab ,  Rodrigo , Wendel , Bruno and Fio

Nice Blackhat staff shirt no ? =D

I'll write a post about Blackhat/Defcon/Spiderlabs meeting during this week yet =)

Regards,

Rodrigo Montoro (Sp0oKeR)

quarta-feira, 4 de agosto de 2010

RazorBack - New Sourcefire VRT Project

VRT guys just released at Defcon 18 version 0.1 for RazorBack . The project is REALLY interesting and it's targeting client-side attack mostly since that's currently where most attacks are .

What is RazorBack ?

Project Razorback™ is an undertaking by the Sourcefire VRT.
Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.

The project page could be found here : http://labs.snort.org/razorback/

There you will find the slides, papers,  0.1 files version. Besides that they created a new channel at irc.freenode.net #razorback .

I'll try to do lot of test in next week and post about those here .

For sure this project will grow a lot quickly and kickass in the future . Get involved . I'll for sure .

Happy Snorting!

Rodrigo Montoro (Sp0oKeR)