Windows PUP: Creating a custom ClamAV signature for windowpromo.exe

I was recently looking into a PUP that seems to get installed  with a freeware called Emotiplus that allows users to use fancy emoticons in Skype.

While nothing too bad beyond unwanted requests to dozens of contacts as well as unwanted add-on installation was observed in my test lab, I did see a stream of callbacks to a host: windowpromo.azurewebsites.net

Req

The response looked like the screenshot below:

Res

None of the AntiVirus solutions that I had access to were detecting this particular sample. So I took a stab at creating a ClamAV custom signature for this executable – turned out to be quite simple (though the approach I used is quick and dirty and not the most robust way to identify all variants).

Here is what I did:

Step 1: Run a ClamAV scan on the executable to confirm that the file is not detected as malicious.

1

Step 2: Run strings on the executable to obtain “signature” string that can be used to create the custom signature for in ClamAV.

Step 3: The results from “strings” was not very helpful, so I decided to use the string “windowpromo.azurewebsites.net” as my signature string. The fact that the installed PUP calls out to this site host makes me reasonably confident that the sample can be detected based on a signature created using this string.

Step 4: I created the hex output for “windowpromo.azurewebsites.net” using the sigtool utility.

4

Step 5: Created a signature in the following format that ClamAV understands:

5

The file is saved as “test.ndb”. Two things to note:

  • 0 – it is for ClamAv to check for the any file type as target
  • “0a” at the end of the hext string has to be removed

This signature us stored in the custom signature database for ClamAV and when running a scan that needs to reference this custom database, the –d switch must be used in Step 6

Step 6: Run clamscan again using the newly created signature

 6

The “.UNOFFICIAL” extension that ClamAV seem to have added is due to the fact that the signature database that we used for this scan is not part of the ClamAV’s project signature database.

 

Advertisements

IAPP – Privacy Technologist Credential Quick Notes

In the days of connected living, lot of amazing new products and features are released every day. Being part of the grid helps encourage innovation, effective collaboration, and possibly, a better way of living in general!

The rush to roll-out the products and/or features that enable this connected existence has a strong inclination to dissipate focus on one important area concerning the ENTITY at the center of it– the human and his/her right to privacy.

Most of these products take a “will this put me in a legal soup?” approach, and push the limits to the maximum, rather than being designed with the privacy protections of the end users built in. As with security, the general thought around privacy is that of hindrance in reaping maximum profitability out of the products.

I have been heavily involved in secure software development lifecycle projects in my career. So, in order to get a better insight into privacy focused software development lifecycle, I decided to pursue the CIPT credentials from IAPP.

My take was that unless the technology folks are made to understand the importance of Privacy (and of course Security), real long term resolution of the privacy/security crisis will not be possible. The goal was to get a structured understanding of what the technologists, not the management/leaders, needs to know to make knowledgeable decisions related to data privacy as they build a product.

While working on my preparations, I realized that there are lot of CIPP information available (it’s the most popular of privacy credentials) but not much on CIPT. Hence including a short summary of my plan below.

My only reference for the certification was the book “Privacy In technology – Standards and Practices for Engineers and Security and IT Professionals” by JC Cannon. The book is well written, and for someone with technical background, this is the only book needed for CIPT.

For individuals with no knowledge of technical concepts around network security, cryptography, and authentication schemes will find this tests to be little tough. On a scale of 0-5, one must at least have a 1.5-2 knowledge of the aforementioned concepts to be comfortable with the type of questions that the exam has.

Reading up freely available articles on the technical concepts mentioned should suffice in understanding the concepts highlighted in the book.

The course covers lots of good information on privacy focused architecture and development practices, privacy notices and tools.

Did I find the course worthy of the dollars/time spent? – Yes! In a world where most do not understand the importance of data privacy and confuse data privacy with data security, the materials covered in this course are refreshingly to the point.

Whether one will get a promotion because he/she got a CIPT, well, that depends J

WordPress Blog with 2FA setup for Windows Live Writer

I use 2 factor authentication for my WordPress blog login. So, when I tried setting up Window Live Writer as my local WordPress blog editor I ran into the following error:

clip_image002

To set up the application-specific password, I had to log on to my WordPress account, navigate to https://wordpress.com/me/security , click on “Two-Step Authentication” tab and click on “Add new application password

image

Enter a name for my Windows Live Write application and click on “Generate Password”

clip_image008

The new password is displayed on the screen.

I copied the the password into the Windows Live Writer setup window to complete the setup.

clip_image010

 

I did check “remember password” on the Windows Live Write setup window.

AWS Solutions Architect – Associate Certification – Quick Notes

Earlier this week, I attempted (and passed!!) the AWS Solutions Architect – Associate certification.

This was my first look at an Amazon certification and here is a short write-up on my experience.

Worthy investment of time and money?

Depends how you look into it.

It’s a multiple choice question-answer type test, so there is a case of this certification not reflecting actual experience/practical skill of the taker – someone with a greater than average memory can just read through the documentation and possibly clear the exam.

Maybe yes…

…but the test was not quite what I expected it to be – it was very scenario based – things that you can answer only if you have done hands on deployments on the AWS, or at least, have done web based application deployment (in general) in the past.

Some of the questions are common sense experience questions that tests your generic N-tier architecture, network protocol, port level skills/understanding. These questions have nothing to do with AWS as such; which makes sense considering that as an Architect there are certain skills that one must have irrespective of the platform.

In fact there are no “what’s the full form of XZY service?” type of questions, at least in my test.

Worthy? – I’d say yes! Considering the level of adoption of AWS in different sectors, it’s almost certain that everyone in the technology sector will come in contact with AWS at some point. This certification/syllabus provides a very good introductory exposure to AWS.

Preparation Material:

1) AWS Certified Solutions Architect – Associate 2015 – Ryan Kroonenburg (Udemy link)

Do I recommend this? – Absolutely Yes! The training is very well paced and the hands on labs are very thorough. Ryan’s lectures are easy to follow.

Note: While this training has almost everything you need for this test, either as part of the lectures or additional information pointers provided, to pass the final exam will require you to go the extra mile by actually following these guidance/pointers. Please do.

2) AWS FAQs – I referred the general ones for VPC, EC2, S3, EBS, RDS, SQS

Do I recommend this? – Absolutely Yes! Read as many as you can.

3) Whitepapers – I was already versed with the AWS Security Best Practices one but I did read the following:

  1. Amazon Web Services: Overview of Security Processes
  2. Storage Options in the AWS Cloud
  3. Architecting for the AWS Cloud: Best Practices

Do I recommend this? – Absolutely Yes!

Practice Exam:

1)  AWS Practice Test – For $20 it gives a sense of the exam interface – that’s the only benefit I got out of this test.

Do I recommend this? – Not a must do.

2) Acloudguru AWS practice test on Android – Unlike the training program which is awesome, this app is more “work in progress”-like, there are lot of questions though (ones that are not in the course tests) but not many scenario based ones. I am sure this will improve over time.

Do I recommend this?  – Again, not a must do but considering the number of questions maybe worth looking if you can spare ~$20. I did and don’t regret.

Some additional notes:

My AWS experience:

I am an Applications Security Engineer by profession and my primary work responsibility do not involve going hands on with AWS deployments on a day to day basis. My AWS responsibilities are mainly limited to security related consultancy on an as needed basis.

The reason I wanted to take this certification is to vet my knowledge in carrying out that responsibility.

Note that I do have substantial web application architecture/development/deployment/security experience.

For those on the fence about whether they can pass the exam or not: The reason I mentioned my experience with AWS above is to drive home the point that on a Novice to Expert scale, I will rate myself as an low intermediate on  all but one domain (security!) covered in this exam and I passed.

So, with the right amount of time and focus, you can too!

Diffie-Hellman key exchange

Diffie-Hellman – Layman terms

Basic info (table 1):

(2x)y = 2xy = (2y)x

For DH, x and y are very large numbers.

Step 1: GB selects a large random number, x.

Step 2: GB raises 2 to the power of x and obtains, say G (=2x).

Step 3: GB sends G to SB.

Step 4: SB selects a large random number, y.

Step 5: SB raises 2 to the power of y and obtains, say S (=2y).

Step 6: SB sends S to GB.

Step 7: Following calculations are performed

SB calculations GB calculations
Sx Gx
(2y)x from Step 5 (2x)y from Step 2
2yx from table 1 2xy from table 1
(2x)y from table 1 (2x)y from table 1

Step 8: Both SB and GB now has a shared secret without actually have to transfer the key.

HTTP Secure Headers – How prevalent are these?

Recently Twitter added Public Key Pinning to their SecureHeaders Ruby Gem. There are 8 security headers now.

I wanted check the prevalence of these secure HTTP headers amongst the top websites to get a sense of the awareness around these very efficient mechanisms to address a plethora of security related issues.

For reference, CSP is documented here.

I checked most of the publicly available list of 2014 top 500 sites on the web from Fortune.com for this purpose and the stats for the 8 headers that SecureHeaders Ruby Gem covers is:

CSP HTTP Strict Transport Security (HSTS) X-Frame-Options (XFO) X-XSS-Protection X-Content-Type-Options X-Download-Options X-Permitted-Cross-Domain-Policies Public Key Pinning
2 5 81 12 26 0 1 0

This is not a comprehensive test (and possibly not error free) but these numbers do point towards a possible lack of adoption for these gradually improving (and easy to use) security enforcement mechanisms.

Part reason for this may be the touch unreliability in the way browsers enforce these checks (for example X-Download-Options is supported only on Internet Explorer) but considering that these do not break anything if used sensibly (like CSP and Public key pinning’s report on settings) can be used to gradually improve the security stance of most websites without much effort.

Note: Tristan Waldear has created a Python-Flask package for the same headers and is hosted here.

Drag Microsoft Office Excel Conditional format…

For the Umpteenth number of time, I spent >2 hours to figure out a way to drag my custom format in an incremental way across excel rows.

Here is the user case:

I have an excel spreadsheet that contains columns that look like below:

ExcelBlog-Pic-1

The custom format that I needed was:

1) Fill Green if value in the cells in B, C, and D is greater than or equal to the value in the cell A for that row.

2) Fill Yellow if value in the cells in B, C, and D is less than the value in the cell A for that row.

Exact Requirement: I want to create the formatting for the cells in one row, drag it down and expect Excel to do the incremental adjustments to the cell values as needed.

By default when I create the formula using the “Conditional Formatting” option it creates something like this:

ExcelBlog-Pic-2

If I “Format Paint” other cells then the “Cell Vale < $C$1” remains static. I wanted it to change based on the row it is on.

Fix was simple (I think other better ways too!):

1) In the formula remove the $ from the “Cell Value…” for the value that needs to reflect the changes. When I updated the formula like below I was able to format paint it over other cells:

ExcelBlog-Pic-3

In retrospect, that was simple…