So for this weeks lab/class we talked about web application security and some of the various ways of exploiting vulnerabilities in web applications. We learned about how to execute basic cross-site scripting attacks (XSS), SQL injections, and cross-site request forgery (CSRF).
We also took a look into the OWASP Top 10 which is the the top 10 most common web application security vulnerabilities created by the OWASP. OWASP is a worldwide non-profit organization who's focus is to improve web application security by making it more visible so people know the types of issues that exist in web application security. Here is the OWASP Top 10 for 2010:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Click here to see a .pdf file made by OWASP that details all the vulnerabilities, how they work, how to stop them, and other useful resources. If you are a web developer and have not read this document or some variation of it I strongly suggest you do.
Lastly we were assigned the lab for this week which required us to install Mutillidae. Mutillidae is a deliberately vulnerable set of .php scripts that form a website which can be exploited in various ways to illustrate the vulnerabilities that exist in the OWASP Top 10 and how to exploit them. The idea here being that the more you know about how to exploit the vulnerabilities, the easier it will be for you to stop them from happening.
Friday 28 October 2011
Sunday 16 October 2011
Week 6 - Playin' with Sasser.b
This weeks class didn't consist of a lecture (yes!) but rather our prof just handed us the lab assignment and let us go off and get it done. The lab assignment was pretty simple - we just had to download and run a piece of malware (I chose Sasser.b) within our XP VM and monitor it's manipulation of the system.
First we had to boot up our virtual machine, download the virus onto the desktop, and disconnect all virtual NICs so our machines weren't able to spread the virus through the network.
Next we started up a program called ProcMon (download here) which allows you to monitor all changes to the file-system, registry, and monitor network activity. This program helps us get a better look at the virus and what it's doing.
Next we just ran the virus on the system by opening a file called "malware.exe" which is the executable containing the virus. As soon as we ran the virus we noticed the system become extremely slow and sluggish sometimes non-responsive and we started seeing a TON of activity on ProcMon related to malware.exe. We saw files being created and changed, registry entries being created and changed, lots of reads and writes to the filesystem, threads being created all over the place etc. It was very clear the virus had begun to infect the system. We also began getting Windows errors as early as 45 seconds after running the virus. Here's a screenshot:
This is what you see in ProcMon when you open the virus. You can see the original process being created and then the virus activity starts:
The ports that were open prior to running the virus:
Now after:
Sasser.b uses threads to scan random IP addresses. If the connection through port TCP 445 succeeds, the worm will check if the system is vulnerable. If it is, Sasser will open a shell through port TCP 9996 and will force an FTP connection through port TCP 5554 to download the worm to the vulnerable system. In the above screenshot you can see TCP port 5554 is open and the worm is attempting to spread through the network.
Further examination of the registry shows a new key created by the virus which allows it to run each time Windows boots. The key is cleverly named "avserve2.exe" to make it look like an Anti-Virus program but we obviously know it's not.
So that just about takes care of it for this week. I hope you've enjoyed my brief look into the Sasser.b worm and what it does. Please let me know if you have any questions. Thanks for reading!
First we had to boot up our virtual machine, download the virus onto the desktop, and disconnect all virtual NICs so our machines weren't able to spread the virus through the network.
Next we started up a program called ProcMon (download here) which allows you to monitor all changes to the file-system, registry, and monitor network activity. This program helps us get a better look at the virus and what it's doing.
Next we just ran the virus on the system by opening a file called "malware.exe" which is the executable containing the virus. As soon as we ran the virus we noticed the system become extremely slow and sluggish sometimes non-responsive and we started seeing a TON of activity on ProcMon related to malware.exe. We saw files being created and changed, registry entries being created and changed, lots of reads and writes to the filesystem, threads being created all over the place etc. It was very clear the virus had begun to infect the system. We also began getting Windows errors as early as 45 seconds after running the virus. Here's a screenshot:
This is what you see in ProcMon when you open the virus. You can see the original process being created and then the virus activity starts:
The ports that were open prior to running the virus:
Now after:
Sasser.b uses threads to scan random IP addresses. If the connection through port TCP 445 succeeds, the worm will check if the system is vulnerable. If it is, Sasser will open a shell through port TCP 9996 and will force an FTP connection through port TCP 5554 to download the worm to the vulnerable system. In the above screenshot you can see TCP port 5554 is open and the worm is attempting to spread through the network.
Further examination of the registry shows a new key created by the virus which allows it to run each time Windows boots. The key is cleverly named "avserve2.exe" to make it look like an Anti-Virus program but we obviously know it's not.
So that just about takes care of it for this week. I hope you've enjoyed my brief look into the Sasser.b worm and what it does. Please let me know if you have any questions. Thanks for reading!
Subscribe to:
Posts (Atom)