Flash movie analyzers

Here is an online tool that perform an analysis of a Flash movie, this is very interesting for analyzing potential malware movies:

Adopstools

Another tool is the WepaWet, this one handles Flash and Javascripts files:

http://wepawet.iseclab.org/

Here we can find some interesting tools like the SWFdump and SWFstrings:

Swftools.org

Also here is an interesting post, on analyzing Flash:

Pentphase.de

Thanks to Vicente for the links

Enjoy

-CMM

Secure deleting a Macbook (pro) with OSX

Yesterday i was preparing my old Macbook Pro for selling, and after doing a backup i wanted to do a secure delete of all the hard disk content. So i started to search for a software or a solution (before using a live CD) and i found that the OSX include the option to do a secure delete in the "disk utility", best of all is that the cupertino boys have 3 different kinds of secure delete, with different levels of security, to prevent the file recovery.

Zero Out Data:

This method writes zeros over all of the data on the drive. This provide a decent level of file security,there are forensics utilities that in theory could retrieve some data however they are extremely expensive and time consuming and there are no documented cases of this actually taking place.

7 pass erase:

This method will write data over the disk seven times, and will take 7 times longer than Zero Out Data. This method is compliant with the D0D 5220.22-M specification, meaning that it is virtually impossible to retrieve the information.

35 pass erase:

If you are paranoid or you really need to protect some files, you can use this method that writes the entire disk 35 times... It is said that this method is really impossible to recover. Also this option will take ages to finish.

Well after checking the options, i went with the 7 pass erase method, and for a 150GB partition it took 7 hours to complete, now i had to do the same for the 100GB partition :(

Reference: http://danbenjamin.com/articles/2008/05/secure-erase-osx
-CMM

25C3 Chaos Communication Congress videos

The 25C3 is finishing and the videos of the presentations are available here:

http://81.163.130.141/streamdump/

Enjoy

-CMM

Usename check!

After the presentation i gave at IV Spanish OWASP meeting, many people asked me about the website that checks if a username is registered at different websites (Social networks, web 2.0, etc).

The website that i use is: http://www.usernamecheck.com/

It has more than 70 sites for checking, this is very interesting when doing information gathering, or forensics investigations.

Next post i will show how can this site will help us.

Enjoy

-CMM

Netifera - Network security Analysis

A new framework is being cooked at Netifera.com, it is coded over Eclipse framework, so the application will be able to run in all platforms, right now there is only two packages Linux and OsX.

A description taken from their website:

"At netifera we are building a next generation platform for network security analysis.

Our architecture is a radically innovative approach to managing high volumes of network information.

Our free and open source platform provides the framework for creating and integrating security tools with a flexibility that has never been possible before."

The team is made of people who has worked in CORE, Sebastian Muñiz and Luciano Notarfrancesco, were the ones that presented the tool at XCON in china.

You can download the beta and get more information HERE

-CMM

Blackhat Japan 2008 Presentations

The presentations and the audio files are available to download,

You can get them HERE

Enjoy

-CMM

Malware Hash registry

Team Cymru has launched a look-up service that allows you to query their database of many millions of unique malware samples for a MD5 or SHA-1 hash of a file.

The service is free for non-commercial use.

The results of the query, will output the date the sample was first seen, and the detection rate of 30 AV engines.

Also you can cross check with the www.virustotal.com engine hash check option

More information HERE

-CMM

Metasploit Decloak V2

The Metasploit project, has released a tool that demonstrate a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed. 

It's an interesting tool, to check if your proxy configuration is really anonymizing your connections, or if you are under a false anonymity.

You can check your proxy anonymity here:  Metasploit decloak

-CMM

Oracle Forensics

Hi, this time i will post a brief entry about Oracle Forensics, when we talk about Oracle Forensics we are talking about David Litchfield, he researched and developed tools for analyzing Oracle from the forensic point of view.

Next Thursday he will participate in a Black Hat Webinar, where he specifically will talk about  Orablock:

"The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. "

You can register here.

Also he will publish a book about Oracle Forensics very soon, you can pre order it at amazon, the book is called "Oracle Forensics Using Quisix"

And if you want to check all his presentations and papers about the issue you can  go here.

There are few persons working in this field, and besides Litchfield we can refer to Paul M. Wright, author of the first Oracle Forensic Book, you can check his blog here.

Enjoy!

-CMM

Panda Security advertisement

This is an unusual post but it is very funny, and is related with security:

The guys from Panda Security made a great advertisement with a concept very far from the information security but very funny and effective, at least the main idea is very well transmitted.




-CMM

Python Regexp tester

When you are coding in python and need to use a regular expression, i always end up firing up a python interpreter and trying the regexp on the fly, now i discovered www.pythonregex.com , a web application created over Google App Engine that allows you to try regular expressions without having to code a line, you just need to write the regexp and put the string or text where do you want to apply it.


Give a try here

-CMM

Jsky - a free Web Application Scanner

A new free Web application Scanner is out, from the same author of Pangolin (a good SQL Injection tool). The scanner looks pretty solid and complete for an alpha version; the list of checks is the following:

• SQL Injection
• XSS
• Unsecure object using
• Local path disclosure
• Unsecure directory permissions
• Server vulnerabilities like buffer overflow and configure error
• Possible sensitive directories and files scan
• Backup files scan
• Source code disclosure
• Command Execute
• File Include
• Web backdoor
• Sensitive information
• And so much more......

It also claims  that also exploits the vulnerabilities, but i didn't try that option yet.

Here is a screenshot of the tool in action:

You can download it from here

-CMM

Shellcode2Exe

Here is a tool that could be handy when you stumble with a shellcode, and you want to create a binary to analyze with a debugger:

Shellcode2Exe

Just paste the shellcode and click submit, right now supports 3 types of shellcode:

1) %u urlencoded IE shellcode payloads
2) \x style C strings
3) raw hex strings with no spaces ex. 9090EB15

It's based on a tool that you can find in the Malcode Analyzing Pack from Idefense

Thanks Vicente for the tip

-CMM

Windows Prefetcher and forensic analysis

When doing Forensic analysis, many times you need to find if a user had run a binary on the analyzed system, there are some places where we can obtain information about application run s like entries in the "RunMRU" registry location (HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU), but today i will talk about the Prefetcher files.

The Prefetcher:

"It is a component of the Memory manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs."

"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."

This feature was introduced with XP, and it's available in VISTA.

In short when you launch an application windows will create .pf file in the prefetch directory (%SYSTEMROOT%\Prefetch\), this file will contain information to speed up future application startups.

This file contains different information about the application, but at the end of the file we can find the path of the file image.

The name of the file is FILE-HASH.pf, the HASH is calculated with the path of the file image, so if the same binary is run from two different location, we will have two different prefetch files.

So now you can find if an application was run on the Windows system and you can have the MAC times of the prefetch file and the image file to add to the timeline analysis, also there is a counter of how many times the application was used.  (You can use Windows File Analyzer to get all this information)

This could be helpful when analyzing Malware on infected machines, the malware maybe is deleted but the prefetch entry is still available, or to find the executable of the malware analyzing all the prefetch files.

Maybe you are wondering how many files Windows will save? It's supposed to maintain 128 entries, any entry over 128 will be flushed, most frequently used applications will be preserved.

Do you know more places to find information about applications runs?

More info on Prefetch

A tool for analyzing Prefetch directory: Windows File Analyzer

-CMM