2009年2月4日星期三

2008 X-Force Trend and Risk report

February 02, 2009 IBM announced the results of its 2008 X-Force Trend and Risk report, which found corporations put their own customers at risk for "cybercriminal activities" by failing to properly defend their servers against identified exploits.

Two main trends were reported in the X-Force report. First, today's websites are the "Achilles' heel" for IT security. This is the culmination of the attacker's desire to infiltrate the website's software to allow their applications to infect end-user machines coupled to the corporations using standard, off-the-shelf applications which have known exploits. According to their report. 74% of the web applications deployed have had no patches applied. And trends show the volume of attacks seen at the end of 2008 were 30x greater than the number of attacks seen early in the summer months.

The second major trend is a switch away from primarily browser defect and ActiveX script attacks to those involving Flash and PDFs. The research recorded a 50% increase in Q4'2008 in the number of URLs that were hosting exploits compared to the sum total from all of 2007. Spammers are also switching to these compromised web-site tactics for an expanded reach.

The X-Force report also records that the number of disclosed critical vulnerabilities did not see widespread exploitation. IBM believes the Common Vulnerability Scoring System (CVSS) used today as an industry-standard rating system for virus threats needs to be overhauled.

2009年1月4日星期日

Nokia SMS Exploiting

Send a message that contains more than 32 e-mail address with a space to the following S60 mobile phone.
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

Exploiting the vulnerability, you can lock target's SMS functions. The victims can not send and receive SMS anymore, and even system hung.


S60 SMS Exploit Messages

2008年9月25日星期四

Disclosure Windows Kernel - Kernel time

Today, I disclose a method to get kernel time in Microsoft Windows Operating System. In order to get kernel time, the easy way is to call KeGetCurrentPrcb routine. That's undocument native API.
Using below code segment:PKPRCB Prcb;
ULONG ulKeTime = 0;
Prcb = KeGetCurrentPrcb();
ulKeTime = Prcb->KernelTime;
The prototype of KeGetCurrentPrcb isKPRCB* KeGetCurrentPrcb ( VOID )
Now, let's take a look at its code. It mainly has three rows instruction.
{
ULONG Value;
__asm mov eax, fs:[20h]
__asm mov [Value], eax
return (struct _KPRCB *) Value;
}

Another way is to get EPROCESS structure, then to locate KPROCESS fields.
The main fields of KPROCESS are followings:

DISPATCHER_HEADER Header
ULPTR DirectoryTableBase[2]
KGDTENTRY LdtDescriptor
KIDTENTRY Int21Descriptor
USHORT IopmOffset
UCHAR Ioplvolatile
KAFFINITY ActiveProcessors
ULONG KernelTime // here is kernel time
ULONG UserTime
LIST_ENTRY ReadyListHead
SINGLE_LIST_ENTRY SwapListEntry
LIST_ENTRY ThreadListHead
KSPIN_LOCK ProcessLock

2008年9月5日星期五

#2 - Hypervisor based security solution

Detection methods
1. Behavioral Detection
  • Detecting diverted execution paths
  • Detecting alterations in the number, order, and frequency of system calls
2. Signature Scanners – AV Products
  • Fingerprint Identification
3. Searches memory or the file system for unique byte patterns
4. Integrity Checkers – Tripwire
  • Detects unauthorized changes to system files or to loaded OS components in memory
  • Creates an initial baseline database containing their CRC values
  • Periodically calculates and compares the  CRC’s  of  these files against the initial trusted baseline
5. Diff Based Approach
  • Microsoft  Strider Ghost, System Internals Rootkit Revealer,  F-Secure Blacklight
6. HW-assistant Hypervisor based Approach?

2008年9月4日星期四

ThinkUtility - Proactive Protection against BOSDs

Today, I would like to talk about Operating System crash. First, let's take a look why does system crash? WOW, it's really hard to answer the question. General speaking, the result of BSOD is because system too "sick" to continue. e.g.
 
 A device driver or an operating system function running in kernel mode incurs an unhandled exception. 
  •  A call to a kernel support routine results in a reschedule, such as waiting for an unsignaled dispacther object when the interrunpt request level(IRQL) is DPC/Dispatch level or higher.
  •  A page fault on memory backed by data in a paging file or a memory mapped file occures at an IRQL of DPC/Dispatch level or above (Which would require the memory manager to have to wait for an I/O operation to occur - and, as just stated, waits cannot occur at DPC/Dispatch level or higher because that would require a reschedule. )
  • A device dirver or operating system function explicitly crashes the system (by calling the system function keBugCheckEx) because it detects an internal condition that indicates either a corruption or some other situation that indicates the system cannot continue execution w/o risking data corruption.
  • A hardware error, such as a machine check or a nonmaskable interrupt(NMI), occurs. 
The typical problems are that
  • Unhandled exception
  • OS or driver detects severe inconsistency
  • Invalid memory references
  • Hardware error
Well, Can I do something while system crash? The answer is nothing. If you have configed  system to dump memory, you would see infamous Blue Screen Of Death. 

That's current windows solution. Can we improve it? Definitely, YES. I have developed utility as  Proactive protection method. When I got appropriate FTP website, I will share to everyone.

To be continued...

2008年7月26日星期六

#1 - Hypervisor based security solution

Hypervisor based rootkits - evolvement

Today, I would like to give a talk about Hypervisor based rootkits and relative  security solution. It is a series of talks.  First, let's to reveiw rootkits evolvement.

•First Generation Rootkits
–Replaced / Modified system files on the victim’s harddisk
•Second generation Rootkits
–Modify static OS components / structures loaded in memory
•Table based hooking approaches (IAT, EAT, SSDT, IDT)
•Inline function hooking
•Kernel and user mode rootkits
•Third Generation Rootkits
–Modify dynamic OS objects loaded in memory
•Direct Kernel Object manipulation (DKOM)
•Kernel Objects represent just about everything in the system (processes, threads, drivers, security tokens, etc…) so the possibilities are virtually unlimited.
•Exclusively kernel mode rootkits
•Fourth Generation Rootkits
–Virtual memory subversion
•Modify the page table - ITLB & DTLB e.g. Shadow Walker
•Fifth Generation Virtualization based – Blue pill, SubVirt
–No hooks in system!