Studying for SANS’ FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

In November, 2013  I took the fateful deciding of taking SANS’ FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques class with Hal Pomeranz. Hal isn’t the course author for the class, but he is taller, louder, likes strange beers and has plotted my demise a couple of times.

Anyway, I won’t give a review of the 610 course as many, many others have already done so.  However during the class there was much mocking from Hal and  my classmates, shockingly, I was the target of the afore mentioned mocking - making it a most enjoyable time. Really, take any of Hal’s classes and asked to be mocked, it makes the days fly!

I promise Hal on his death bed I would take and pass this exam for him. Yes, yes, Hal wasn’t on his death bed, but he’s somewhat accident prone – especial if pushed at the right time.

So I’ve had some time off to ponder home repairs and gardening and now it’s time to crush the 610 exam. Slight problem I haven’t taken a SANS exam in a while now (oops) and need to get back on that cyber* horse.

Starting my exam preparation training plan. Practice, practice, practice all the hands on labs, make hugely useful indexes of each book and then make a play book of my own and practice examining real malware with 610′s techniques, tools and procedures. Some of you may be asking “Chris, why aren’t you listening to the MP3 they give to you ask addition study?” The answer is simple. It’s complicated.

Okay, Lenny isn’t Hal. Yes, Lenny has some great stories, wrote the class and is an all nice guy, but unless I can get recordings of Hal mocking me, it won’t have the same psychological impact. Hal’s like Mr T in Rocky Three, I have to beat him mentally before stepping in the exam ring. Lenny’s just too nice and helpful.

Must. Crush. Hal.

Er, pass the exam, by using Hal as motivation.

Day one of prep and the laptop and virtual labs are built, plus I carried one of the books around with me all day. I can feel the knowledge seeping through the bag, over the air in in to my brain without turning a page. Actually, that’s more of a hallucination, so I have to resort to reading the book on the journey in to work tomorrow.

The only reason for these blog posts are a “Get on with it and study!” reminder.

Right, off to watch 2001: A Space Odyssey as that should help me wind down and forget all about Hal.

 

* Cyber – it’s synonymous with everything that right about IT security today and it makes things sounds more complicated/scary. Cyberknife, Cyberlight and CyberButterChickenandNarn are examples.

Mucking around with blog hosting 2014

Well, 2014.

After a few minor disagreements with my former hosting provider I’m going to be trying a range of new and, mostly likely problematic, other hosting options. Heck it’s all about trying new things and seeing what breaking. Or who’s trying to break in to your site, but more on this later.

Swapping over has already broken a few things, but I’ve learnt some new (to me)and not very exciting things about building Apache. I’ll be stuffing up the blog searches for the next month or so with the major search engines,sorry. It’s for a greater good (no, it’s not however I do get to learn how to read go over the top in breaking WordPress while attempting to lock it down).

And with that, it’s back to blogging about Stuff™

 

WordPress Password Attacks for the last few days IP addresses

There’s been a number of news stories on mass password guessing attacks on WordPress sites – none of which is anything new or exciting. The possibility some of these attacks are being done by a large botnet has seemed to shaken some folks.

http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/

http://blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html

http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

Well, being the chummy, log sharing chap I am here’s a list of the naughty machines that have been trying to logging with the admin username on my lovely blog site.

My top security tip is rename the admin account to something less obvious: Elvis, pancake, tree, duh! or metalmicky would thwart this rather simplistic attack. A decent passphrase would be another fine option too…

Needless to say most of the attacking IP addresses are from the land of the free and the home of the weak password: The  United States of America.65 out of the 151 in the table below.

Thank you compromised US systems!

Thank you compromised US systems!

I found a niffy web site that allowed me to make this pretty visual map of the attackers location http://batchiplocator.webatu.com/

Shame they only allow 110 addresses to be entered for display on the geo-ip map, but it very handy for putting together a blog post like this.

Attackers this week 18Apr2013

Add the following naught password guessing IPs to block lists, see if these have hit your logs too or even report them to their abuse@ ISP emails. It’s up to you.

These IP addresses are from the 14th of April up to today (18th of April).

ip country
193.180.115.113 Austria
85.158.215.36 Belgium
177.180.13.250 Brazil
187.85.82.38 Brazil
78.142.63.82 Bulgaria
199.204.214.208 Canada
184.107.150.58 Canada
108.163.128.206 Canada
108.163.188.186 Canada
198.144.157.117 Canada
24.64.120.194 Canada
190.98.219.99 Chile
210.14.78.21 China
223.87.0.177 China
111.13.87.150 China
218.203.105.26 China
61.234.146.186 China
61.175.223.134 China
211.167.112.14 China
14.17.29.112 China
41.222.196.37 Congo, The Democratic Republic of the
185.15.196.72 Europe
94.23.234.227 France
188.165.202.45 France
5.135.158.104 France
109.1.137.192 France
81.252.211.149 France
194.231.138.35 Germany
194.116.187.25 Germany
83.243.57.33 Germany
87.253.162.6 Germany
188.40.166.133 Germany
31.22.104.28 Germany
85.10.195.141 Germany
176.9.78.117 Germany
85.214.27.40 Germany
46.165.198.100 Germany
85.25.73.37 Germany
188.40.69.202 Germany
78.46.34.77 Germany
180.188.194.54 Hong Kong
124.244.59.238 Hong Kong
94.199.51.8 Hungary
210.210.178.20 Indonesia
115.124.72.62 Indonesia
118.99.79.123 Indonesia
42.62.176.150 Indonesia
180.244.193.110 Indonesia
77.237.73.3 Iran, Islamic Republic of
85.119.183.223 Italy
202.232.236.66 Japan
210.188.201.41 Japan
115.187.79.147 Japan
202.214.8.82 Japan
2.135.238.162 Kazakhstan
176.123.0.114 Moldova, Republic of
176.123.0.105 Moldova, Republic of
91.214.200.45 Moldova, Republic of
176.123.0.237 Moldova, Republic of
176.123.0.231 Moldova, Republic of
176.123.0.94 Moldova, Republic of
77.235.47.247 Netherlands
194.247.30.126 Netherlands
80.95.160.178 Netherlands
146.0.79.23 Netherlands
89.44.200.154 Romania
92.114.86.81 Romania
93.187.140.18 Romania
89.38.207.234 Romania
80.86.105.174 Romania
80.78.247.92 Russian Federation
178.208.91.196 Russian Federation
151.248.123.211 Russian Federation
212.49.116.20 Russian Federation
119.31.233.40 Singapore
80.35.80.139 Spain
80.28.254.179 Spain
61.19.248.138 Thailand
95.173.186.104 Turkey
31.210.86.205 Turkey
37.247.99.82 Turkey
94.138.206.66 Turkey
37.57.25.225 Ukraine
31.202.217.135 Ukraine
95.154.234.101 United Kingdom
80.68.95.137 United Kingdom
216.224.169.123 United States
184.154.36.210 United States
67.205.24.238 United States
96.127.139.170 United States
74.208.66.177 United States
65.254.40.154 United States
70.32.112.125 United States
64.202.240.136 United States
209.51.142.178 United States
199.195.143.121 United States
24.234.3.189 United States
184.105.235.28 United States
66.36.228.123 United States
207.58.185.126 United States
184.154.115.10 United States
69.163.164.44 United States
199.180.252.22 United States
66.55.144.244 United States
173.245.6.132 United States
65.254.168.168 United States
67.215.243.250 United States
216.224.175.71 United States
72.29.68.51 United States
74.207.224.242 United States
69.174.254.88 United States
74.117.61.88 United States
174.127.117.77 United States
72.32.68.101 United States
69.195.198.111 United States
198.1.127.222 United States
208.113.170.83 United States
204.93.60.103 United States
204.93.60.174 United States
207.58.139.238 United States
204.93.60.208 United States
204.93.60.84 United States
216.172.147.251 United States
204.93.60.164 United States
204.93.60.75 United States
50.22.236.98 United States
204.93.60.12 United States
50.117.80.66 United States
204.93.60.58 United States
216.172.147.234 United States
184.168.112.26 United States
199.223.214.154 United States
8.29.131.248 United States
184.168.109.23 United States
23.27.237.205 United States
208.116.36.230 United States
198.98.113.47 United States
65.60.19.242 United States
72.167.13.19 United States
50.117.80.168 United States
216.172.147.57 United States
198.144.116.91 United States
184.168.114.10 United States
204.93.60.9 United States
208.115.125.60 United States
204.93.60.207 United States
23.27.238.51 United States
198.144.116.100 United States
50.117.80.38 United States
50.31.98.92 United States
209.73.151.229 United States

 

 

 

My, my! Bye-bye 2012

The end of the old year rapidly approaching, and the birth of a new one is nigh!

That’s all for this year folks. Let’s see if I can’t come up with something a bit more interesting or relevent in 2013.

A sad farewell to TMG as it gets the chop

Microsoft have announced that the Forefront Threat Management Gateway 2010 (TMG) product is being discontinued. A few of us have suspected this might be the case but TMG death knell is printed here 

Like any product, it had it flaws, but it was a plucky little proxy firewall that had some sweet moves; finally beaten by the owner throwing in the towel.

Somewhat bizarrely TMG will be supported until 2015 then kept on minimal life support until 2020. Why is this bizarre? Security threats change daily, so having an unpatched and with no means to keep it reacting to changes in technology (hello? IPV6 anyone?) it’ll be a liability to the security team.

Ms will either have to bring out a replacement product or it’s time to find another edge security product that works well with Microsoft products and protocols before the end of the year.

CISSP training in Brisbane 2013 – SANS MGT414 Mentor Session with Ashley Deuble

For the first time SANS® +S™ Training Program for the CISSP® Certification Exam is being run as a mentor class in Brisbane.

Starting on the Wednesday 6th of February, 2013, Ashley Deuble, CISSP, CISM, CISA & GSE #47, is leading the remarkably indepth and comprehensive SANS training to help you master ISC2′s material and pass the CISSP exam.

Ashley brings his wealth of personal  and industry experience to guide you through the courseware to make the dense subject matter clear, understandable and relatable so you’re ready to tackle the CISSP exam with a real knowledge of the CISSP domains.

Download Ashley Deuble MGT414 Flyer or sign up here

Mentoring SANS Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education in Sydney August 2012

System administrators get a rough deal. They are expected to do their jobs and keep up with the non-stop changes in security, which has a massive impact on their workload. The media routinely preaches that updated patching, antivirus and the latest and greatest security device will keep them and their companies’ safe. That just isn’t true.

This course brings real world security awareness to you, the Sysadmin, on what to look for if your network is under attack or has been hacked. It helps explain how the bad guys get in and how to block them. This isn’t a course telling you to do all the basic stuff – patching, installing anti-virus software, running hardening guides and so on – you’ve being doing as part of your job for years and it’s nothing new.

Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education may sound like a mouthful, but it’s practical, sensible topics and can be used in your job. This is all common sense material that the various OS vendor training courses never tells you about that actually make it easier for you to make your network more secure. Now you’ll be able to hold a solid conversation with the security team and understand what their after and how you can help provide it without making your life a misery.

Why SANS Mentor Training?

This is why I think the SANS Mentor classes are a terrific training option. If you live in the Sydney area and are interested in attending SANS classes, please do contact me to get more details!

Pace:

The material is covered over a four week period which provides lots of time for you to read on your own time and come back to the mentor meetings with questions and get answers. This helps to digest the massive amount of material in smaller, manageable doses. We study 2 or 3 modules each week and that material can be applied immediately on the job.

Cost:

The cost is significantly reduced. the cost is lower than any other form of SANS training making it very accessible to those who are budget constrained – which these days is many of us. There is an automatic 25% price reduction from the cost of courses delivered at the conferences. There is no travel or accommodations, so that massive saving in costs. And finally, I can generally offer an additional discount if you contact me prior to registration.

Networking:

Don’t overlook this one. When you are in the two-day conference courses, you definitely get a change to meet others, talk about your experiences and issues in the field, and maybe even keep in touch via email. But when meeting for 10 weekly classes with your peers in the same community, that networking experience is enhanced significantly. You have the chance to really get to know the others in the class by the shared experiences, work through the material and bounce ideas of each other; that’s a great benefit to being part of a local Mentor class.

Size:

Class sizes are typically small – much smaller than what you would find at a SANS conference, which means we can focus more closely on those areas which are difficult for the group

Material:

You get all the same material as you would from the conference course, including the same books, CDs, and even audio files of the full 2-day course lectures.

Feel free to e-mail me with any questions, or visit the course website here:
https://www.sans.org/mentor/class/sec464-sydney-aug-2012-mohan

 

A great guy and friend Wouter, managed to get a room in Sydney’s CBD to hold the training. It’s easy to get to and has parking nearby.

Mentor training location details

Dates: Tuesday, August 7, 2012 – Tuesday, August 28, 2012
Meeting Time: 6:00 PM – 8:00 PM
Where:

Level 33
Ernst & Young Centre
680 George Street
Sydney, Australia 2000

Mentoring SANS Hacker Techniques, Exploits & Incident Handling in Sydney July 2012

I was again offered the opportunity to lead mentoring for SANS Hacker Techniques, Exploits & Incident Handling (SEC-504), here in Sydney, and I leapt at the chance!

I love this course and it helped me reach a deeper understanding on a number of aspects of my role as the IT security person charged with incident response. It provided that real world, hands-on practical skills you need to do this job.

Why SANS Mentor Training?

This is why I think the SANS Mentor classes are a terrific training option. If you live in the Sydney area and are interested in attending SANS classes, please do contact me to get more details!

Pace:

The material is covered over a 10 week period which provides lots of time for you to read on your own time and come back to the mentor meetings with questions and get answers. This helps to digest the massive amount of material in smaller, manageable doses. We study 2 or 3 modules each week and that material can be applied immediately on the job.

Cost:

The cost is significantly reduced. the cost is lower than any other form of SANS training making it very accessible to those who are budget constrained – which these days is many of us. There is an automatic 25% price reduction from the cost of courses delivered at the conferences. There is no travel or accommodations, so that massive saving in costs. And finally, I can generally offer an additional discount if you contact me prior to registration.

Networking:

Don’t overlook this one. When you are in the 6-day conference courses, you definitely get a change to meet others, talk about your experiences and issues in the field, and maybe even keep in touch via email. But when meeting for 10 weekly classes with your peers in the same community, that networking experience is enhanced significantly. You have the chance to really get to know the others in the class by the shared experiences, work through the material and bounce ideas of each other; that’s a great benefit to being part of a local Mentor class.

Size:

Class sizes are typically small – much smaller than what you would find at a SANS conference, which means we can focus more closely on those areas which are difficult for the group

Material:

You get all the same material as you would from the conference course, including the same books, CDs, and even audio files of the full 6-day course lectures.

Feel free to e-mail me with any questions, or visit the course website here:
https://www.sans.org/mentor/class/sec504-sydney-jul-2012-mohan

A great guy and friend Wouter, managed to get a room in Sydney’s CBD to hold the training. It’s easy to get to and has parking nearby.

Mentor training location details

Dates: Thursday, July 12, 2012 – Thursday, September 13, 2012
Meeting Time: 6:00 PM – 8:00 PM
Where:

Level 33
Ernst & Young Centre
680 George Street
Sydney, Australia 2000

Outlook Tweaks

I continually forget these Outlook settings to make reading lovely HTML emails just that little bit safer. Then I also like to be able to read the message headers on those odd emails In Outlook 2010 File – Quick Access Toolbar add in Message Header from the all option drop down tab.

Taken from http://support.microsoft.com/kb/831607

To turn on the Read all standard mail in plain text option in Outlook 2003, follow these steps:

  1. Start Outlook 2003.
  2. On the Tools menu, click Options.
  3. On the Preferences tab, in the E-mail area, click E-mail Options.
  4. In the Message handling area, click to select the Read all standard mail in plain text check box.
    Note By default, the Read all standard mail in plain text option is turned off.

To turn on the Read all standard mail in plain   textoption in Outlook 2007, follow these steps:

  1. Start Outlook 2007.
  2. On the Tools menu, click Trust Center, and then click E-mail Security.
  3. Under Read as Plain Text, click to select  the Read all standard mail in plain text check box.
  4. To include messages that are signed with a digital signature, click to select the Read all digitally signed mail in plain text check box.

When the Read all standard mail in plain text  option is turned on, you receive the following notification on the InfoBar at   the top of the e-mail message:

This message was converted to plain text.

Note If you decide to view the plain text message in its original format, click the InfoBar, and then select Display as HTML or Display as Rich Text.
To turn on the Read all standard mail in plain textoption in Outlook 2010, follow these steps:

  1. Start Outlook 2010.
  2.   Click the File tab in the Ribbon, and then click Options on the menu.
  3. Click Trust Center on the Options menu.
  4. Click the Trust Center Settings tab.
  5. Click E-mail Security.
  6. Under Read as Plain Text, click to select  the Read all standard mail in plain text check box.
  7. To include messages that are signed with a digital signature, click to select the Read all digitally signed mail in plain text check box.

When the Read all standard mail in plain text  option is turned on, you receive the following notification on the InfoBar at   the top of the e-mail message:

This message was converted to plain text.