Picon

Re: Vulnerability Assessment

"Compliance with SB1386"

That's pretty interesting since SB1386 is primarily a privacy bill that 
requires businesses to disclose a security breach.
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
"includes personal information, as defined, to disclose in specified 
ways, any breach of the security of the data, as defined, to any 
resident of California whose unencrypted personal information was, or is 
reasonably believed to have been, acquired by an unauthorized person"

Even the sister bill/law of AB1950 states
http://info.sen.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.html
"This bill would require a business, other than specified entities, that 
owns or licenses personal information about a California resident to 
implement and maintain reasonable security procedures and practices to 
protect personal information from unauthorized access, destruction, use, 
modification, or disclosure."

Compliance with these regulations are interpretive.  What is 
'reasonable' in the eyes of one person is not in another, nor should it 
be depending on the risk assessment of each firm.  As these regulations 
are by design, vague and subject to interpretation (and certainly 
subject to legal precedent setting of which there's been little set thus 
far).  PCI standards are a bit more exact, but even then, beware of 
anything that states that they document compliance with "fill in the 
blank" regulation.

Vulnerability assessment is only one part of a possible compliance with 
regulations.

(Continue reading)

杨峰 | 1 Aug 05:58 2007
Picon

Re: Analize Virus

filemon
regmon
sniffer
ida pro
softice
processmon

----- Original Message ----- 
From: "Rafa Richart" <Rafa <at> ontinet.com>
To: <pen-test <at> securityfocus.com>
Sent: Wednesday, August 01, 2007 1:28 AM
Subject: Analize Virus



Hi Pals,

we're looking for some tools to analize the Malware behaivor, we've a Lab under contrucción, but we need
some advices of what tools we've to use. tools to see what have benn changin the registry, stat conexions etc...

Any help is wellcome.

Thanks in advance

Rafa



------------------------------------------------------------------------
This list is sponsored by: Cenzic
(Continue reading)

Jason Ross | 1 Aug 06:03 2007
Picon

Re: Analize Virus

On 7/31/07, Rafa Richart <Rafa <at> ontinet.com> wrote:
>
> we're looking for some tools to analize the Malware behaivor, we've
> a Lab under contruccion but we need some advices of what tools we've
> to use. tools to see what have benn changin the registry, stat
> conexions etc...

I've found VmWare Server (the free version) to be especially useful
for this purpose.

I use "What Changed" (which is available from [among other places]
http://majorgeeks.com/What_Changed_d5018.html to compare files and
registry hives which have changed, and have had decent results with it.

I have heard good things about the "Reg Shot" app
( http://majorgeeks.com/RegShot_d965.html ) but haven't used it myself.

Of course, wirehark is essential (in my opinion), as are the various
utilities previously offered from sysinternals (now microsoft) ...
in particular i find pstools and tcpview to be very handy.
The collection of these is at the technet site:
http://www.microsoft.com/technet/sysinternals/default.mspx

You also may find it useful to have some form of disassembler/debugger.
I am fond of ollydbg for this purpose, which is available at
http://www.ollydbg.de

It's probably worth noting that the craftier malware authors are
beginning to check to see if they are running in a vmware environment.
Accordingly it may  be useful to take some countermeasures to that if
(Continue reading)

Jörg Weber | 1 Aug 07:56 2007
Picon

AW: Analize Virus

Rafa,

Sunbelt sells a suit of tools for automated malware analysis, CWSandbox. It seems to do the job you want to
get done.

Cheers,

Joerg

--

Joerg Weber M. A.
Chief Security Officer

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 59
F: (0681) 8 80 08 - 33
www.infos.de
mailto: j.weber <at> infos.de  

Handelsregister: Amtsgericht Saarbrücken, HRB 11001
Erfüllungsort: Saarbrücken
Geschäftsführer: Dr. Werner Stein
Ust-IdNr.: DE168970599

> -----Ursprüngliche Nachricht-----
> Von: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] Im
(Continue reading)

Jamie Riden | 1 Aug 10:16 2007
Picon

Re: Looking to set up an infosec lab

On 31/07/07, Ned Kratzer <NedK <at> fltg.com> wrote:
> It depends on the type of environment in which you want to look for
> vulnerabilities...servers, business desktops/workstations or home
> computers?
>
> For servers, if you want your lab to mirror the "real world" as much as
> possible, I'd recommend a version of RedHat 7 or  newer, RedHat
> Enterprise 2.1 or newer, Solaris 2.6 or newer, Win 2k and 2k3 Server
> (maybe even NT4 Server).
>
> For business desktop/workstations, 2000 and XP Pro are probably gonna
> be your best bets.
>
> Now for the "home computer" situation, Mac OSX 10.2 or newer, Win 9x,
> Me, XP Home and Vista are gonna be your biggest share, on the *nix side,
> I'd probably throw in Ubuntu and RedHat, maybe OpenSUSE and Fedora too.

Most deployed in my experience seem to be Windows XP, 2000, 2003, Mac
OS X, Fedora and Debian. Some places will be running Solaris, Digital
UNIX/Tru64, AIX and HPUX - these are fairly localised though, and
whether you bother will depend on what sort of clients you're dealing
with.

Red Hat 6.2 was a nice release, but is really quite ancient now. Most
people will want to have some kind of support so RHEL and Fedora will
probably have replaced it in most companies. There may be a few
NT/Win98 machines but I'd leave these for now until you actually need
them.

cheers,
(Continue reading)

Robert McArdle | 1 Aug 11:24 2007
Picon

Re: Analize Virus

If it Blackbox testing you are looking for (i.e. see effects of the threat
on the system) as opposed to debugging / dissassembly, here are some to get
you started, although there are many other excellent apps

Regshot - Takes before/after snapshot of the registry/filesystem-
http://www.softpedia.com/get/Tweak/Registry-Tweak/Reg-Shot.shtml

Wireshark - Network Analyzer- www.wireshark.org

SysInternals (Now Microsoft) tools -
http://www.microsoft.com/technet/sysinternals/default.mspx

has a good few that are worth a look, specifically Process Monitor,
Autoruns, Process Explorer, etc

After that you'll want some Rootkit detectors like GMER or IceSword

Robert McArdle
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

On 7/31/07, Rafa Richart <Rafa <at> ontinet.com> wrote:
>
> Hi Pals,
>
> we're looking for some tools to analize the Malware behaivor, we've a Lab under contrucción, but we need
some advices of what tools we've to use. tools to see what have benn changin the registry, stat conexions etc...
>
> Any help is wellcome.
>
(Continue reading)

Colin Copley | 1 Aug 18:23 2007

Re: Analize Virus

>From: "Rafa Richart" <Rafa <at> ontinet.com>
>To: <pen-test <at> securityfocus.com>
>Sent: Tuesday, July 31, 2007 6:28 PM
>Subject: Analize Virus
>
>we're looking for some tools to analize the Malware behaivor, we've a Lab
under contrucción, but we need some advices of what tools we've to use.
tools to see what >have benn changin the registry, stat conexions etc...

Hi

You might want to try one of the malware/virus lists as well, but here's
some apps you'll
probably find useful:

A virtual machine environment:-
MS Virtual Machine and /or VMware

Dynamic analysis:-
Regmon & Filemon, from Sysinternals, now at MS Technet
(Strings, Process Explorer, Autoruns, & Rootkit Revealer are also useful to
have handy, also from Sysinternals)

Simple DOS scripts can help to create your baselines before running a virus.

You'll also need a selection of unpackers, decompilers, debuggers,
disassemblers and hex editors.
I've found these useful:

PEid
(Continue reading)

Rafa Richart | 3 Aug 13:59 2007

Re[2]: Analize Virus


Thanks very much to all the people has aswered my question, now I've many information 

Best regards

jueves, 02 de agosto de 2007
a las 17:39, escribió:

AS> My $.02

AS> For static or code analysis, I use IDAPro or Ollydbg as well as good
AS> old 'strings' and 'objdump', I've also been starting to play with PE
AS> Explorer lately.

AS> For dynamic studies, I'll run wireshark on my host system and use a
AS> combo of Winalysis, Process Explorer, filemon, and fport. Lately, I've
AS> been kicking SysAnalyzer around a bit.

AS> Keep in mind, more and more malware is becoming VMWare aware, so a
AS> hardware solution such as a CoreRestore card might be a good
AS> investment.

AS> In general:

AS> Behavioral Analysis:
AS> Wireshark
AS> Process Monitor
AS> Process Explorer
AS> FileMon
AS> RegMon
(Continue reading)

Curt Purdy | 2 Aug 14:56 2007

RE: [lists] Looking to set up an infosec lab

Our lab is a dual dual-core Opteron (4 procs) w/16 gb RAM running SuSE Linux
10.2 w/VMWare ESX Server (have not run Windoze on bare metal for 4 years -
thus have not had to re-install in 4 years :)

I then run about a dozen OS's including every version of Windoze, a few
*NIX's and Novell.  I have images of every guest for quick re-install (10-30
minutes per, depending on size).  I then turn malware loose on a Windoze box
and watch it infect the other boxes, depending on the propogation mode.  Of
course the *NIX and Novell boxes never skip a beat.

Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA 
202.302.6032
infosysec <at> gmail.com
purdy <at> tecman.com

-------------

If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked. 
-- former White House cybersecurity czar Richard Clarke 

> -----Original Message-----
> From: listbounce <at> securityfocus.com 
> [mailto:listbounce <at> securityfocus.com] On Behalf Of John M. Martinelli
> Sent: Monday, July 30, 2007 9:40 PM
> To: pen-test <at> securityfocus.com
> Subject: [lists] Looking to set up an infosec lab
> 
> Hi, list.
> 
(Continue reading)

lists73 | 3 Aug 18:00 2007

Re: Analize Virus

Hi,

Some people recommeded VMWare. While being a great product in general,
you might run into problems when using it for malware analysis.
Malware these days, at least the sophisticated ones, detect that they
are running inside a virtual machine. Your results are
therefore not what you migh expect. We use Core Restore instead.

http://www.coreprotect.com/core_restore.html

It might be cool to see what files are created,changed or deleted, but
it does not give you a real clue what the malware does. Take the
banking trojans as an example. Most of them trigger only when the
victim types in the correct URL of the targeted bank. You need not
only file/registry tools, you should combine that with WiresShark for
network traffic analysis, Paros to see what is going on on the web
application part, OllyDbg to analyze the malware sample more deeply
etc. etc.

Hope that helps

SkillTube Team

Quoting Rafa Richart <Rafa <at> ontinet.com>:

>
> Hi Pals,
>
> we're looking for some tools to analize the Malware behaivor, we've   
>  a Lab under contrucción, but we need some advices of what tools    
(Continue reading)


Gmane