From Darkreading

MX Logic last week reported a worm that had generated over 8 million spam messages in an apparent attempt to recruit bots for Srizbi. (See New Worm Spawns More Than 8M Spam Messages.)

Srizbi still hasn’t captured the same amount of attention as Storm, even though it’s been quietly gaining steam. Last month, Marshal reported that Srizbi was sending over 60 billion spam messages (malicious and non-malicious) each day, more than all other botnets put together.

I’ve definitely seen an increase. I completely disregard anything in my gmail spam folder but my emh account for hamsterswheel has been averaging 6 SPAM messages per day. I’m only used to getting around 1 or 2 so this has been a significant increase this week. I wonder if this new botnet has anything to do with it!

Back in the year 2000 while everyone I knew was planning what college to goto or what company to accept the signing bonus for I was busy performing observations. At the time I really didn’t want to attend college. As I sat back and observed I noticed there was an overwhelming amount of people jumping on the ‘Dot Com” band wagon. Certification boot camps were popping up by the numbers and for a few thousand dollars you could become an MCSE. I made a choice to join the military and grab experience I could put on a resume instead of going and getting a certification and joining the work force. I’m really glad I did because everything seems to have worked out for me with over sight from above!

This evening after reading Dave Aitels post on Daily Dave about getting mojo back and realizing I’ve been in a slump for the past few day’s I was trying not to focus on it and browsing some articles. I found an article on Business week discussing Technology jobs are on the rise. I have to wonder if we will cycle and see a bunch of people in I.T again that don’t have much of a clue and just grab these certifications and start working. What’s worse is if they pump up the jobs and end up having some type of impact (cough 2001-2002 bubble burst cough) on the economy and our I.T industry. I’d hate to experience that, and or see it. I’ve worked with my fair share of people who were in the industry for the money and I never had a high opinion of them. Now all these articles are starting to stir up hype about them again! What do you think?

Been working through PowerPC assembly and Mysql as of Late.

As I was browsing through the book store hanging out with my son I noticed a copy of the database hackers handbook for less than $9.00, Figured I can’t go wrong at that price. I never really had an interest in databases but as I flipped through the book I realized that aside from a general ability to run through SQL commands I didn’t really have a good understanding of database systems. I created a nice syllabus to run through Mysql for the moment. Towards the latter half I’ll actually get into SQL Injections so if you’ve got some decent tuts in your link base drop it!

Anyway, PowerPC assembly is Hot, still a bit vexing since I’m used to Intel. However I see how PPC is much cleaner and more efficient. For those interested I’ve been taking notes as I follow through a syllabus for learning PPC that I created. I modeled it off the Professional Assembly programming book by Wrox publishing (which mind you is an awesome book for the Intel architecture). Right now I’ve only dropped the architecture overview notes, I am working through Moving data around and Stacks. PPC is really interesting when you get to stacks since it doesn’t necessarily have hardware support for one. However, using registers and some instructions you can create a stack and manipulate it. However, there are no formally defined instructions for it such as Intel’s PUSH and POP.

Notes are in Here.

Well finally got my confirmation and receipt for Blackhat/Defcon. This year should be a lot more interesting since I’ve established quite a network since last year. Get to meet up with quite a few homies from IRC/Silc this year, party out in the belagio and get my learn on! I was going to try and coordinate a team for the oCTF, but as it’s turning out people are quitting their jobs and or just don’t want to play.

So, one of my classes finished out yesterday. I’ve still got to complete my risk assessment project for it. It’s a bitch, although I see the usefulness of Qualitative Risk Analysis I still think its somewhat tedious. Over all there are many things I picked up in this class that I fully intend on incorporating into my overall processes. Next up to finish is this advanced wireless course. Although the course content in and of itself is advanced (this class is hard core into the protocols of 802.x wans and mans.) The labs have not been very advanced. I’ve been messing around with some of the air-ng tool set. Unfortunately my IPW3945 card doesnt like doing things. So I purchase an orinico card.. Turns out, Proxim’s orinico silver isn’t a true orinico card. Doing some research however i find that I can modify the firmware on the card and make it a true orinico. Backtrack 3 also has a custom driver for the ipw2200 card which I happen to have in my wifes computer. I’ve been messing trying to mess with WEP cracking but it would appear as though the only WEP AP’s are not generating enough. Even with me doing arpreplay’s im only generating maybe 4-5000 IV’s. Since I’m starting to take more of an interest in Wireless I am actually starting to consider giving HD some money for his pwntops! Got that in an email yesterday that HD sent to AHA!

Three more classes to go after this term. Can’t wait to be finished with it!

When learning to pull apart code either on intel or other architectures it is sometimes difficult to get a grasp on where to start. Without objectives it becomes such a large project that it becomes infeasible, which then becomes forgotten or boring because of a lack of outcome. Lately I’ve been working my way through PowerPC and the manuals should be dished out for medication to those with sleeping problems. Reading a reference manual from front to back is counter productive! So what is helpful? If you have your books “Reversing Secrets of a Reverse Engineer” I’d like you to open up to appendix A-C. These sections are at the tail end of the book and I have to wonder how many people actually get to them! Yet they are filled with such great information that should be towards the front of the book. Building upon these foundations is a great way to learn, but also coding up bunk programs and pulling them apart to determine how they work is another means.

This brings me to my next point: What kind of programs should I be coding, what should they do? Again referring to the appendix of the RE secrets book you will see titles of the sections in bold. I’ve clipped most of them out and put them into a text file to create sort of an outline for myself. Now, if your just interested in learning Intel you can simply read through those appendix. But in my case I need to learn PowerPC, MIPS, ARM, Sparc architectures and the Intel didn’t help me. The overall design was good so I stuck with it. To give you an example we will first look at topics for Code Structures. Basically you want to code up a few different examples for each of these topics. Once you get the hang of it you can start playing with optimization and building upon the examples. Pulling apart the code and looking up any unknown opcodes is a great way (I’ve found) to learn!

CODE STRUCTURES:

1. Control Flow & program layout
2. Functions
3. Single Branch Conditionals
4. Two Way Conditionals
5. Mult Alternative Conditionals
6. Compound conditionals
7. Logical Operators
8. Switch Blocks
9. Loops
10. -Pre tested loops (while)
11. -Posttested loops (do while)
12. -Loop break conditions
13. -loop skip-cycle statements
14. -Loop unrolling
15. Banchless logic

On the second to last assessment with my former employer I couldn’t help but shake my head as I heard the raging debate within the organizations. One half who had the overall control of the network were pissed that management was allowing half of the network users to run around with administrative level permissions. That’s right, over half of the user base had admin level credentials to their local machine. The thing was it was a university! Technically the machines were physical property of the user but it was attached to the network most of the time. The main problem which was in the process of being corrected was a lack of network separation.

I recall being asked by the administrators to display to management the risks of allowing users to run as local administrator. Outside of the legal liability of having them install and run P2P software, there is the unauthorized access aspect from the execution of malware. What was really funny is their grievances with the CS students who, no matter what the network administrators did to block outgoing traffic always seemed to circumvent their controls. As auditor I found this horrible, but as a cs major I found it quite entertaining. What I ended up doing was showing a 46 second camtasia video that MC had made on his blog showing remote code execution on a fully patched Windows XP SP2 machine. My immediate statement after the conclusion of the video was:

46 Seconds (long pause) That’s how long it took. You may not understand the full technical aspects of what just happened, but I assure you that what happened was full administrator level control of that workstation (pause) IN LESS THAN 46 SECONDS! From there on out I had their full attention!

This brings me to two posts. First a post that dean had done on Carnal0wnage a few months ago, and a recent one I picked up on google reader; Titled Testing for Client side Vulnerabilities. It’s an interesting post that doesn’t necessarily deliver a technical means in which to test but certainly outlines a few items to consider as a pen tester. One thing I personally can’t wait for is a client side framework to come out. You can use metasploit to test for the exploitation aspect of client sides but on a large scale I’m not sure how feasible it is. From attending Austin Hackers I know HD Moore is currently working on integrating Karma and Metasploit. This will also have the effect of having a client potential in it that can rotate through the currently implemented metasploit modules and test the workstation for any potential vulnerabilities that may exist on the connecting client. I’m sure that if it’s not it’s own module it would only require a few adjustments to make it into a client side tester. Custom implementations can then document certain things such as the connecting IP, what client side vulns may impact the machine and then you can go from there.

While we are waiting on that however, you can use javascript to rotate through the CSLID’s you have exploits for and test which ones are installed on a machine. From there you can go one of two way’s, you can either 1 just document the CSLID and IP Address or you can press on to exploitation. I guess that depends on both your time constraints and your ROE.

This weekend has come and go, im truly insane and my body is hurting because of it. All this week I was in NC visiting my folks and I got nothing accomplished that I wanted to. There’s something about working off the kitchen table that just impedes my work, I don’t know how some people do it… Anyway, I left a little early not only to get back into the swing of things, but also to participate in the CTF Prequals hosted by Kenshoto. This year was a lot harder than last year but I’m pretty content with my progress. I had made an attempt at assembling a team and out of those 8 people only two really showed up. I feel bad giving Randy shit about pursuing a PHD Cause it apparently paid off, dude contributed a lot and without our colaboration I think I would have fell short. I actually ended up knocking out a few trivia questions, and I kicked off Forensics 100 and Reversing for 1-300. 400 didn’t open up untill very early sunday morning and it was a killer. The question was “We found this running on your box, you tell us what it is” As far as I got was deciphering the fact that it was a kernel driver, and from there on out I was burnt. The real world category was new this year and kicked ass, a lil exploitation f00 for ya ear. Randy pulled through with the pawnables 100 by figuring out the finger daemon vuln! Adam from H town who I met through AHA! hooked it up too, him and I did a lot of collaboration on the Reversing challenges. He got burnted out last night and went to bed so Randy and I kicked 200 back and forth. Turned out the service was Acking Syn packets instead of SYn Acking. Randy came through with the hping f00. But I owe a great deal of gratitude to the cats in HTA who were kicking some f00 and helping along with the collaboration and realworld 200, pwnables 200.

Overall, last year Randy and I came up 57 / 160.

This year, with 1 hour left We are 34 / 450.

Definately learned a few things. I particularly enjoyed the optimized Libc functions that needed RE, and picked up some forensics f00 as well!

Screen shot

For a nice taste of some of the paste challenges, head over to nopsr.us