/dev/null

Today, 30 June 2009, Mozilla Foundation decided to release its major product: the Firefox browser, version 3.5. They say it’s twice faster than its predecessor Firefox 3 and ten times faster than Firefox 2 (I really don’t care about this: I always thought Firefox is a fast browser).

Among the other new features, there is the support for HTML5 tags <audio> and <video> and a new way to approach to JavaScript through the new and very fast engine TraceMonkey. And now, a function that I think I’ll really enjoy: an private surfing modality (it just doesn’t store any information about the visited sites, but in its simplicity I think it will be really useful).

I’ll give another point to Firefox because Mozilla decided to improve the occupied memory (which sometimes is a pain for my poor laptop) and the already-quite-good security business (more phishing and malware protection).

I’m still tryin’ to getting used to Iceweasel, but I really hope that they will make a version bump for this browser too. Maybe it’s just a matter of days, maybe not.

Anyway, download your Firefox copy at www.getfirefox.com.

See you soon

Just yesterday I thought of leaving my good ole’ dear Gentoo distro for a Debian box. My Acer laptop has already lost two fan and, according to me, there are two possible causes for this: Acer components sucks or Gentoo gives too much work for the CPU for too much time.

I don’t really have the money for buying another laptop now, so I’ve chosen to install Debian testing and give to that a try.

It’s not so bad until now, but I think I’ll miss the hours of compilations…sniff…sniff…

After more than one year since the Phrack #65, here we go with this new marvellous and interesting issue. Here I report the list of the articles included:

• Introduction (TCLH)
• Phrack Prophile on The PaX Team (TCLH)
• Phrack World News (TCLH)
• Abusing the Objective C runtime (nemo)
• Backdooring Juniper Firewalls (Graeme)
• Exploiting DLmalloc frees in 2009 (huku)
• Persistent BIOS infection (aLS and Alfredo)
• Exploiting UMA : FreeBSD kernel heap exploits (argp and karl)
• Exploiting TCP Persist Timer Infiniteness (ithilgore)
• Malloc Des-Maleficarum (blackngel)
• A Real SMM Rootkit (Core Collapse)
• Alphanumeric RISC ARM Shellcode (YYounan and PPhilippaerts)
• Power cell buffer overflow (BSDaemon)
• Binary Mangling with Radare (pancake)
• Linux Kernel Heap Tampering Detection (Larry H)
• Developing MacOs X Rootkits (ghalen and wowie)
• How close are they of hacking your brain (dahut)

My interest is, as expect, caught by Core Collapse and aLS & Alfredo articles, which I’m looking forward to read carefully: it seems that rootkits are getting to lower and lower levels. In July we’ll see at Black Hat a presentation about Ring -3 Rootkits so…

Again, a lot of really interesting memory exploiting articles. I think that the waiting for this issue is really worth it. Hope to read the whole issue very soon.

See you…

As promised by Linus Torvald, linux kernel 2.6.30-rc8 was the last -rc, and today they released the definitive version.

The first thing we can notice, is that the original Tux mascotte is back as logo. Other than this little change, there’s a huge list of improvements and changes. Among them, there is the inclusion of two new filesystems: NILFS2 and EXOFS. There are also some improvements in ext3 and ext4 speed and the possibilty to compress linux kernel image with LZMA/Bzip2 format.

In the past, the search for partitions, for example was really slow due to the synchronous architecture of the process, and the kernel had to wait for the devices. Now an asynchronous scanning is implemented, with a conseguent shortening of the boot time.

There has been a lot of some other changes with this release. I recommend a visit to KernelNewbies for a full list of them.

I’m still looking forward for the kernel mode-setting for the ATI Radeon drivers: let’s hope to see this with the 2.6.31 release.

See you soon

Well, well, well, after some time the team decided to release this wonderful and so-awaited product.

The graphics is still the same (even with a Windows 7-lookin’ style), but there are some new features that makes this program even more worth it than it was before. In fact, right now, we can take all the power of 64-bit computation and the multi-processor architecture of the modern PCs.

Another new feature is the possibility of using pre-computed password hashes (rainbow tables): now cracking hashes may take some minutes instead of weeks of computations. This is valid for Windows and UNIX hashes.

You can even schedule network scannings: daily, weekly, monthly or at once scannings are possible to program. Another interesting feature is the possibility to score the password quality and receive a respose.

What should I say more? A very good product. Here I report the prices, for last:

Professional Version 295$

Administrator Version: 595$

Consultant Version: 1195$

Purchase it at L0phtcrack.com

Pufftron

Today OpenBSD developers have released their new secure version of the UNIX system: OpenBSD 4.5.

Among the improvements, one of the most important surely is that some initial ports for the Gumstix platform (xscale based) and for the ARM-based OpenMoko are included. Support has been added for virtual I/O between logical domains on Sun’s CoolThreads servers. It is now possible for UltraSPARC IIe CPUs to scale down the frequency for powersave.

There has been a lot of improvements in hardware supporting (too many to list them here).

New versions of the software has been included in these release (OpenSSH 5.2 above all): among them we can notice Gnome 2.24.3, KDE 3.5.10 (KDE4 ain’t still so stable, huh?), MySQL 5.0.77, OpenOffice 2.4.2/3.0.1, Xfce 4.4.3, Mozilla Firefox 3.0.6, Mozilla Thunderbird 2.0.0.19 and many others.

The core system includes some of the following components from outside suppliers: Xenocara (X.Org 7.4 patched +  freetype 2.4.2 + fontconfig 2.4.2 + Mesa 7.2 + xterm 239 + etc.), Binutils 2.15 patched, GCC 2.95.3 patched, GCC 3.3.5 patched, Apache 1.3 patched with SSL/TLS and DSO support, OpenSSL 0.9.8j patched, sudo 1.7, Bind 9.4.2-P2 patched, …

I’m not a OpenBSD user even if I tried to get that into my PC, but my college firewall drops out FTP connections, which are quite fundamental for this OS, so I had to give in with this project.

See you soon

Who really cares…….

There is a lot of noise in the net for this event, but don’t worry. Researchers down there, at the Honeynet Project, have found a bad implementation of the way Conficker patches the victims. In fact we can use this to detect a compromised host from a remote station. So, they’ve made up a cure for disinfect the host both remotely and locally.

Let’s go on with some details. In past, we all thought that Conficker patches the MS08-067 (it is the bug that the malware exploits to infect hosts) to prevent other successful exploits: this isn’t perfectly true. In fact it just hooks the NetpwPathCanonicalize() and checks for suspicious parameters: if Conficker finds some, the function fails. The problem is that a call to that function with a \..\ string pattern is valid if a valid path is passed, but Conficker thinks that it is a suspicious pattern and drops that. This may be used for a detection tool.

They obviously didn’t stop there, and went on with the research. They made some HIDS rules to block Conficker’s attempts to execute shellcode and infect hosts.

One of the possible approach to kill Conficker process is analyze the memory of every running process searching for the unpacked malware code: in fact Conficker’s code is protected under some layers of packing, but when it runs it writes the clean code in some memory process and spawns a thread with that code. You can’t just kill the process because it usually is a system process and you may get an unstable machine. First you should search for the code, then kill the right thread. Once the code is found, the next step is determine the size of the memory segment and overwrite that with NOP instructions and a shellcode that just calls ExitThread() to be sure that all threads terminate themselves. Now the code can be erased out from memory. The Mutex it created to prevent other unuseful infections remains active and “protect” us from other instances of Conflicker. This until the next reboot.

What the #@#! ? All this stuff just to get a temporary protection? Don’t worry. They made up a definitive removal tool too. The smart developer of this malware has written the code in such a way that the program hides itself in a DLL with a pseudo-random way: its name is binded with some parameters of the infected host. The reseachers just wrote a simple tool that computes the name of the DLL in the same way. But hey, that file is really hidden. No problem. Not so hidden. The tool can remove that and you’ll have a clean system.

You’ve still got some hours, so…here are the links with the tools you’ll need: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Feel free to leave any comment.

See ya soon…

What have we got here? After 89 days of development, the day has come: linux 2.6.29 has been released, and will have Tuz as logo, as promised.

Well, what are the news with this? First of all the support for kernel-mode setting on Intel hardware (in short, the video-adapter code that now belongs to the X server, is migrating to kernel): this will surely bring us a lot of more security improvements (X.org won’t need to run with root privileges anymore. Another possibility is printing kernel oops directly to the video when X is running: I really hate when my PC halts for a kernel panic and I have to analyze logs to find the cause.

Then, they inserted the support for two new filesystems (Btrfs and SquashFS) and some important updates for the just-stable ext4 (it supports non-journaled mode now).

Beyond to this, but not for importance, there’s the support for WiMax devices, and the possibility to cooperate with the HostAP utility and create a Wireless Access Point (WAP), and a lot of other changes.

I really reccomend you the reading of this website because it offers a full view of the whole changes in kernel. As Phoronix.com says, “after celebrating for a day or two, it’s time to start thinking about Linux 2.6.30!”. It’s true.

Just waiting….

Feel free to leave comments…

We already knew that a new version of the very-well known malware Conficker was spreading around the net. What we didn’t already know is that it has been analyzed and is hiding a very nice gift for us for the April’s Fool day.

Before everything else, let’s see what this malware is and what it isn’t. When the program is launched, it checks for some mutex, just to be sure that there is only one instance of the malware running. After that it patches some APIs to block some DNS query to security-related destinations (microsoft, mcafee, avfg, avire are just some keywords). The next step is disabling the security host services, such as Windows Defender, and the ones that provides software updates: now the victim just can’t be defended or updated with patches from Microsoft. Conficker.C then spawns a new thread that kills every suspicious program.

Now the problem for the malware is ensuring that an instance of the program is started at every boot: in fact it modifies the registry and fills this with a lot of unused keys, maybe to hide its own presence. Now it’s time to copy itself in a secure folder and delete any restore point prior to the infection and checks the size of the DLL, just for validation.

One of the nice points is the P2P communication with the other infected hosts over TCP or UDP. The last and maybe more worrying point is the payload: it will activate on 1 April 2009 and once activated, the malware will try to connect to over 50,000 generated domains.

What else…