Tag Archives: malware

When Security Pros WannaCry

Once again the Internet is set to DEFCON level:OH SHIT due the latest ransomware, WannaCry. I’ll refrain from any further analysis of the malware, since it’s already been discussed ad nauseam by every major security vendor. But I will offer the following thoughts.

WTF?! Why is the industry still so bad at dealing with malware? This attack paralyzed organizations like the NHS and impacted carbon units (you know, those things who pay us) in almost 100 countries. But even as the Internet was melting down, organizations were still sluggish to test and apply this patch after it was released.

“In healthcare and other sectors we tend to be very slow to address these vulnerabilities,” says Lee Kim, the director of privacy and security at the Healthcare Information and Management Systems Society.

According to Brian Krebs, Microsoft released a patch for the vulnerability in March 2017, “…but organizations running older, unsupported versions of Windows (such as Windows XP) were unable to apply the update because Microsoft no longer supplies security patches for those versions of Windows.” Woah Nelly, ORGS ARE STILL RUNNING CRITICAL SYSTEMS ON WINDOWS XP?! That OS was released in 2001 and most people don’t even drive cars that old.

And what about all those NextGen security products that are supposed to address zero days? Where was that super-fantastic, heuristic, machine learning AI when we needed it?

The depressing thing about fighting malware is that the most effective solutions are the same as they were a decade ago:

  1. Make sure you’re running an endpoint security product with updated signatures, formerly referred to as antivirus.  Do these programs negatively impact system performance? Oh yeah. Are they foolproof? Hell no. But like a screen door, they filter out the majority of attacks.
  2. Patch and update your devices like it’s 1999.* If you’re running Windows, install the official patch (MS17-010), which closes the affected SMB Server vulnerability used by the attack. Microsoft even released a patch for those unsupported versions of Windows. 

*That’s another Prince reference, in case you missed it.

doves_cry_malware

Tagged ,

The Endpoint Is Dead To Me

Another day, another vulnerability. This month the big non-event was Badlock, following the recent trend of using a splashy name to catch the media’s attention so they could whip the management meat puppets into a paranoid frenzy. Many in the security community seem unperturbed by this latest bug, because let’s face it, nothing can surprise us after the last couple of really grim years.

But then more Java and Adobe Flash bugs were announced, some new iOS attack using Wi-Fi and NTP that can brick a device, followed by an announcement from Apple that they’ve decided to kill QuickTime for Windows instead of fixing a couple of critical flaws. All of this is forcing  me to admit the undeniable fact that trying to secure the endpoint is a waste of time. Even if you’re using a myriad of management tools, patching systems, vulnerability scanners, and DLP agents; you will fail, because you can never stay ahead of the game.

The endpoint must be seen for what it truly is: a limb to be isolated and severed from the healthy body of the enterprise at the first sign of gangrene. It’s a cootie-ridden device that while necessary for our users, must be isolated as much as possible from anything of value. A smelly turd to be flushed without remorse or hesitation. No matter what the user says, it is not valuable and nothing of value to the organization should ever be stored on it.

This doesn’t mean I’m advocating removing all endpoint protection or patching agents. But it’s time to get real and accept the fact that most of this corporate malware is incapable of delivering what the vendors promise. Moreover, most often these applications negatively impact system performance, which infuriates our users. But instead of addressing this issue, IT departments layer on more of this crapware on the endpoint, which only encourages users to find ways to disable it. One more security vulnerability for the organization. A dedicated attacker will figure out a way to bypass most of it anyway, so why do we bother to trust software that is often more harmful to business productivity than the malware we’re trying to block?  We might as well give out “Etch A Sketches” instead of laptops.

google_on_my_etch_a_sketch_by_pikajane-d3846dy

Tagged , , , , , ,

Malware Analysis and Incident Response Tools for the Frugal and Lazy

I confess: I covet and hoard security tools. But I’m also frugal and impatient, so often look for something free and/or quick. And yes, that frequently means using an online, hosted service. Before the security-purists get their panties in a wad, I’d like to offer this disclaimer: you may mock me for taking shortcuts, but it’s not always about having the best tool, but the one that gets the job done.

Here’s a list that I frequently update. You’ll notice that sometimes I have the same tool in more than one section, but this is because it has multiple functions. If you know of others and would like to contribute or if you think the tool is outdated or bad, please let me know and I’ll adjust the list accordingly.

Many thanks to @grecs for his additions and helping me to organize it. Also to Lenny Zeltzer, author of the REMnux malware analysis and reverse engineering distro, who I’ve borrowed shamelessly from. You’ll find many of these tools and others on his own lists, so I encourage you to check his posts on this topic as well.

Online Network Analysis Tools

Network-Tools.com offers several online services, including domain lookup, IP lookup, whois, traceroute, URL decode/encode, HTTP headers and SPAM blocking list.

Robtex Swiss Army Knife Internet Tool

CentralOps Online Network tools offers domain and other advanced internet utilities from a web interface.

Shadowserver Whois and DNS lookups check ASN and BGP information. To utilize this service, you need to run whois against the Shadowserver whois system or DNS queries against their DNS system.

Netcraft provides passive reconnaissance information about a web site using an online analysis tool or with a browser extension.

Online Malware Sandboxes & Analysis Tools

Malwr: Malware analysis service based on Cuckoo sandbox.

Comodo Instant Malware Analysis and file analysis with report.

Eureka! is an automated malware analysis service that uses a binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing.

Joe Sandbox Document Analyzer checks PDF, DOC, PPT, XLS, DOCX, PPTX, XLSX, RTF files for malware.

Joe Sandbox File Analyzer checks behavior of potentially malicious executables.

Joe Sandbox URL Analyzer checks behavior of possibly malicious web sites.

ThreatTrack Security Public Malware Sandbox performs behavioral analysis on potential malware in a public sandbox.

XecScan Rapid APT Identification Service provides analysis of unknown files or suspicious documents. (hash search too)

adopstools scans Flash files, local or remote.

ThreatExpert is an automated threat analysis system designed to analyze and report the behavior of potential malware.

Comodo Valkyrie: A file verdict system. Different from traditional signature based malware detection techniques, Valkyries conducts several analyses using run-time behavior.

EUREKA Malware Analysis Internet Service

MalwareViz: Malware Visualizer displays the actions of a bad file by generating an image. More information can be found by simply clicking on different parts of the picture.

Payload Security: Submit PE or PDF/Office files for analysis with VxStream Sandbox.

VisualThreat (Android files) Mobile App Threat Reputation Report

totalhash: Malware analysis database.

Deepviz Malware Analyzer

MASTIFF Online, a free web service offered by KoreLogic Inc. as an extension of the MASTIFF static analysis framework.

Online File, URL, or System Scanning Tools

VirusTotal analyzes files and URLs enabling the identification of malicious content detected by antivirus engines and website scanners. See below for hash searching as well.

OPSWAT’s Metascan Online scans a file, hash or IP address for malware

Jotti enables users to scan suspicious files with several antivirus programs. See below for hash searching as well.

URLVoid allows users to scan a website address with multiple website reputation engines and domain blacklists to detect potentially dangerous websites.

IPVoid, brought to you by the same people as URLVoid, scans an IP address using multiple DNS-based blacklists to facilitate the detection of IP addresses involved in spamming activities.

Comodo Web Inspector checks a URL for malware.

Malware URL checks websites and IP addresses against known malware lists. See below for domain and IP block lists.

ESET provides an online antivirus scanning service for scanning your local system.

ThreatExpert Memory Scanner is a prototype product that provides a “post-mortem” diagnostic to detect a range of high-profile threats that may be active in different regions of a computer’s memory.

Composite Block List can check an IP to see if it’s on multiple block lists and it will tell you if blocked, then who blocked it or why.

AVG LinkScanner Drop Zone: Analyzes the URL in real time for reputation.

BrightCloud URL/IP Lookup: Presents historical reputation data about the website

Web Inspector: Examines the URL in real-time.

Cisco SenderBase: Presents historical reputation data about the website

Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists

Norton Safe Web: Presents historical reputation data about the website

PhishTank: Looks up the URL in its database of known phishing websites

Malware Domain List: Looks up recently-reported malicious websites

MalwareURL: Looks up the URL in its historical list of malicious websites

McAfee TrustedSource: Presents historical reputation data about the website

MxToolbox: Queries multiple reputational sources for information about the IP or domain

Quttera ThreatSign: Scans the specified URL for the presence of malware

Reputation Authority: Shows reputation data on specified domain or IP address

Sucuri Site Check: Website and malware security scanner

Trend Micro Web Reputation: Presents historical reputation data about the website

Unmask Parasites: Looks up the URL in the Google Safe Browsing database. Checks for websites that are hacked and infected.

URL Blacklist: Looks up the URL in its database of suspicious sites

URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content

vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists

urlQuery: a service for detecting and analyzing web-based malware.

Analyzing Malicious Documents Cheat Sheet: An excellent guide from Lenny Zeltser, who is a digital forensics expert and malware analysis trainer for SANS.

Qualys FreeScan is a free vulnerability scanner and network security tool for business networks. FreeScan is limited to ten (10) unique security scans of Internet accessible assets.

Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Hash Searches

VirusTotal allows users to perform term searches, including on MD5 hashes, based on submitted samples.

Jotti allows MD5 and SHA1 hash searches based on submitted samples.

Malware Hash Registry by Team Cymru offers a MD5 or SHA-1 hash lookup service for known malware via several interfaces, including Whois, DNS, HTTP, HTTPS, a Firefox add-on or the WinMHR application.

Domain & IP Reputation Lists

Malware Patrol provides block lists of malicious URLs, which can be used for anti-spam, anti-virus and web proxy systems.

Cisco SenderBase Reputation data about a domain, IP or network owner

Malware Domains offers domain block lists for DNS sinkholes.

Malware URL not only allows checking of websites and IP addresses against known malware lists as described above but also provides their database for import into local proxies.

ZeuS Tracker provides domain and IP block lists related to ZeuS.

Fortiguard Threat Research and Response can check an IP or URL’s reputation and content filtering category.

CLEAN-MX Realtime Database: Free; XML output available.

CYMRU Bogon List A bogon prefix is a route that should never appear in the Internet routing table. These are commonly found as the source addresses of DDoS attacks.

DShield Highly Predictive Blacklist: Free but registration required.

Google Safe Browsing API:  programmatic access; restrictions apply

hpHosts File:  limited automation on request.

Malc0de Database

MalwareDomainList.com Hosts List

OpenPhish: Phishing sites; free for non-commercial use

PhishTank Phish Archive: Free query database via API

ISITPHISHING is a free service from Vade Retro Technology that tests URLs, brand names or subnets using an automatic website exploration engine which, based on the community feeds & data, qualifies the phishing content websites.

Project Honey Pot’s Directory of Malicious IPs: Free, but registration required to view more than 25 IPs

Scumware.org

Shadowserver IP and URL Reports: Free, but registration and approval required

SRI Threat Intelligence Lists: Free, but re-distribution prohibited

ThreatStop: Paid, but free trial available

URL Blacklist: Commercial, but first download free

Additional tools for checking URLs, files, IP address lists for the appearance on a malware, or reputation/block list of some kind.

Malware Analysis and Malicious IP search are two custom Google searches created by Alexander Hanel. Malware Analysis searches over 155 URLS related to malware analysis, AV reports, and reverse engineering. Malicious IP searches CBL, projecthoneypot, team-cymru, shadowserver, scumware, and centralops.

Vulnerability Search is another custom Google search created by Corey Harrell (of Journey into Incident Response Blog). It searches specific websites related to software vulnerabilities and exploits, such as 1337day, Packetstorm Security, Full Disclosure, and others.

Cymon Open tracker of malware, phishing, botnets, spam, and more

Scumware.org in addition to IP and domain reputation, also searches for malware hashes. You’ll have to deal with a captcha though.

ISC Tools checks domain and IP information. It also aggregates blackhole/bogon/malware feeds and has links to many other tools as well.

Malc0de performs IP checks and offers other information.

OpenMalware: A database of malware.

Other Team Cymru Community Services  Darknet Project, IP to ASN Mapping, and Totalhash Malware Analysis.

viCheck.CA provides tools for searching their malware hash registry, decoding various file formats, parsing email headers, performing IP/Domain Whois lookups, and analyzing files for potential malware.

AlienVault Reputation Monitoring is a free service that allows users to receive alerts of when domains or IPs become compromised.

Web of Trust: Presents historical reputation data about the website; community-driven. Firefox add-on.

Shodan: a search engine that lets users find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters.

Punkspider: a global web application vulnerability search engine.

Email tools

MX Toolbox  MX record monitoring, DNS health, blacklist and SMTP diagnostics in one integrated tool.

Threat Intelligence and Other Miscellaneous Tools

ThreatConnect: Free and commercial options.

Threatminer Data mining for threat intelligence.

IBM X-Force Exchange  a threat intelligence sharing platform that you can use to research security threats, to aggregate intelligence, and to collaborate with peers.

Recorded Future: Free email of trending threat indicators.

Shadowserver has lots of threat intelligence, not just reputation lists.

The Exploit Database: From Offensive Security, the folks who gave us Kali Linux, the ultimate archive of Exploits, Shellcode, and Security Papers.

Google Hacking Database: Search the database or browse GHDB categories.

Privacy Rights Clearinghouse: Data breach database.

Breach Level Index: Data breach database.

AWStats: Free real-time log analyzer

AlienVault Open Threat Exchange

Tagged , , , , , ,
%d bloggers like this: