## Sunday, February 26, 2012

### How to select a good password

"How to chose a good password" is a recurring theme. There is not a single company that hasn't had at some point that kind of question or concern, and most IT/security guys are usually losing their voices trying to spread the good word.

"What is a good password?" is in itself an interesting question. People tend to answer this in term of length, complexity, entropy, presence in a dictionary or not and so forth. Let's explain a few terms.

Length

The easiest of all. This is purely the number of characters constituent of the password.

Complexity

This relates to the individual "components" of the password. Usually, there is a distinction between four big sets:

• Lowercase letters: a through z
• Uppercase letters: A through Z
• Digits: 0 through 9
• Special characters or symbols: anything that's not either a letter nor a number

The definition of "letters" is in itself quite fun: English speakers may consider accentuated characters as special characters, where (for example) French speakers may consider these as normal letters. In addition, non-roman alphabets also exist, which furthermore expands the definition of letters.

For the sake of simplicity, let's consider as "letters" the non-accentuated letters from the roman alphabet.

Entropy

A fun word, which relates to the distribution of characters in the password. For instance, "aaaa1111::::" would have a low entropy, as there are only three different characters, where "abcd:;.,1234" would have a higher entropy.

Presence in a dictionary

Pretty much everybody agrees to say that using "password" for the password is either lame or in Hollywood movies. However, according to the analysis from the passwords leaked by LulzSec, "password" is indeed in the top three. But a dictionary is also more than the usual list of words we all know: sequences of characters are also mapped into lists (123456,abcde, qwerty ...), nick and pet names (Sweetycakes, Rufus, Catzie ...), even phone numbers and car plates may be used.

How to chose it?

OK, now that we have this information, we can start answering. For decades, IT and security people tried to teach users into selecting obscure, hermetic and hard to remember passwords, thinking that if someone can't remember, someone else won't be able to find it.

This approach led to situations where users would request a password change every other week, because they would forget it or would write down the password on a sticky note posted on the monitor (I have seen that one).

Let's find another way.

Things we usually remember are words: table, bed, teddy, dog are four words that you would probably remember from this text in an hour. So why not combine them?

Is "1Table2Beds,3Teddy&aDog" a good password? You betcha! Can you remember it? It will most likely take a few minutes to learn it, but once done, you will probably not forget it.

• Think of 3 or 4 words, if possible each 3 characters or longer
• Imagine a fun way of mixing them together, using numbers and punctuation signs
• Think of it as a melody or as a story

And ... voila! You have a secure password. By having 3 words of at least 3 characters, your password is already longer than 8 characters. Add to that 2 characters in between and a final punctuation sign, you have 11 characters.

Happy Surfing!

## Sunday, February 19, 2012

### Trinity Rescue Kit to the ... rescue!

So, after playing with my virtual machine and the malwares I downloaded from my e-mail account, time for some experiments from the other side: the clean-up effort.

Cleaning up after a virus infection is probably the most horrible task I have ever had to perform. Not only it takes a long time, but you can't rely anymore on the installed Operating System, all systems have to be taken down or isolated to control the spread of the infection, the users call every 30 seconds asking when "they will be able to work because they have important things to do" and, of course, it always happen when there is something else interesting to do.

Until recently, when I had to be involved in a clean-up effort, I tended to ask for the hard drives to be imaged - to keep a copy of the infection - then I connected the drive to another machine known to be clean, and I ran the antivirus tools from there. Not only this was extremely time consuming, but there was a need to have access to the machine, which is possible with workstation or stand alone servers, not so much with virtual machines, and I don't mention the fact that servers have, nowadays, multi terabyte storages drives on SANs. Another solution had to be found.

There comes a cool distro: TRK - the Trinity Rescue Kit. It does way more than just virus scans, but that's a non negligible part of its job. Among the other tasks, let's just mention the password recovery, the junkfile clean up, the backup/restore and the imaging facility.

Back to the virus clean-up. TRK comes with not less than five different AVs: ClamAVF-ProtBitDefenderVexira and Avast. This last one requires that you register to get a key, and it's free.

To access these tools, two solutions, either the menu-driven way or the command line.

First stop: mounting the local file systems. The menu-driven has an option to mount all the local file systems automatically, and all the operations are taken care of: if your NTFS was not unmounted cleanly, i.e. you powered the machine off in a rush, the automated mount will mount it after taking care of the possible issues. A small caveat though: these file systems are mounted read-write when possible, so be aware that there is a risk of touching things on the hard drive.

An interesting point: in one of my tests, I ran TRK on a mac book pro. It automatically mounted the local drive (UFS), but read-only.

If you want to keep a maximum control, I recommend opening a shell and mounting the relevant file systems by hand, using mount. For the NTFS file system, the suite ntfs-3g is present and can be used to achieve that purpose.

Next step: the virus scanning. Again, either menu-drive and you chose your AV, or at the command-line using the virusscan command.

After selecting the destination to scan, you proceed and select the AV to run.

As mentioned, the other way is to use the virusscan command. This is a form of one-stop shop for scanning a file system, and it takes care of all the necessary steps, such as downloading and installing the relevant packages, updating the virus definitions, and running the scan.

I found I needed to use this way with the mac book pro scan: by default and through the menu-driven, a log file is written in the mount point, which is at the root of the scanned file system. When the mount is done read-only, as it was with my UFS, this is not possible, and the scan will fail.

By default, "ClamAV" will be run. Concerning this one, an important note is that infected files will be reported and quarantined, but not deleted.

An example of the command is:

virusscan -a clam,fprot -d /sda1 -l /

This will run both ClamAV and F-Prot against the file system mounted in /sda1, logs will be written under /, and not on the mounted file system.

A gotcha: if you try to run Vexira, it will fail, due to an error in the command-line switch for the updater.

Here is a workaround:

virusscan -a va -d /<to scan>
# This will fail, that's normal
./vdbupdate.sh
This will start the download of all the updates. After that, you may proceed and run the scan normally

cd /
virusscan -a va -d /<to scan>
Back to the test. My virtual machine was infected with the strain I got in the "Booking.com" e-mail. Running the various scans in sequence I have:

ClamAV - 0 infected file detected
F-Prot - 1 infected file detected
BitDefender - 0 infected file detected
Vexira - 0 infected file detected
Avast - 0 infected file detected

To be fair to BitDefender, Vexira and Avast, they were run after F-Prot, so they may have detected it if given the chance.

The file F-Prot categorized as a malware is "/Users/Administrator/AppData/Roaming/winc.exe", as W32/Trojan.DFP. The file was removed.

However, when the machine restarted and was logged on, another access was made to "yerurr.com", meaning the actual infection was not removed. After rebooting and rescanning with F-Prot, no file found infected, so indeed, something is still present on the system, but not yet detected.

If you recall, in order to execute the malware on my 64bits install of Windows 2008, I had to disable DEP. After enabling it back and rebooting the machine, an executable was blocked: memnvexec.exe. This file lives in /Users/Administrator/AppData/Roaming. This is actually the same file as "servicesa.exe" that I saw downloaded from a website in Germany during my initial run of the strain. As of now, this file is not detected by any AV present on virus total.

Conclusion -

I do like TRK. This is an awesome tool for helping in dealing with outbreaks. However, it suffers from the same ailments as all AVs: this is a reactive business, signatures may take time to make it to the end user and not everything qualifies as a malware.

The menu-driven interface makes it really easy to use. Advanced users will make a heavy use of the command line for a variety of tasks, such as taking images over a network to a NFS server, doing virus scans or deploying images. Additional functions are possible, such as network booting TRK on multiple computers to take care of larger networks.

If you are an IT or a security professional, this definitely has to be in your toolbox.

## Thursday, February 16, 2012

### And another one: booking.com

In the same fashion, I got an e-mail today allegedly from booking.com to give me some information about a reservation I have done. Or so is it written.

Again, a zip file is attached, that contains an executable. Here are the md5 hash values:

46ea3e441be4ba82fa2d059a5ca45f23  Booking-Com-Reservation.exe
e877998eef741bc7ed688584ed7595b6  Booking-Reservation-Details-NUM930833336.zip

It uses the same host (yerurr.com).

Interestingly enough, there is either a timer or a wait for the next reboot: after a reboot and having waited for a while, there was some activity to a site in Germany (www.floodwave.de) to get /services/images/servicesa.exe (md5sum: 8d39f983e08f68ca4ccb3a92f5e4a7ac). This file is not recognized as malware by any antivirus (VirusTotal Report)

When rebooted one more time, the machine followed the same cycle: request to Google, resolution of yerurr.com, POST /was/tnk.php. I stopped there, but I suspect that the machine would probably do something after a time, which I will try this week-end.

## Tuesday, February 14, 2012

### And another strain - DHL Express

Another one, again posing to be from a delivery company.

I got an e-mail, with a zip attachement (DHL_Express_Shipment_POST_ORDER_ID92VMUANA.zip, md5 hash: b8d96b95875bc31d9f5448e5d06837cc  ). When decompressed, an executable is present (DHL_Express_Shipment_POST_ORDER_ID.exe, md5 hash: cc6e8193c7475ef34f79ab82ec6f90fc)

As of 02/14/2012, only 3 out of 43 AVs correctly detect the file as infected (VirusTotal report). Once decompressed, that number falls to 2/43 (VirusTotal report).

Funnily, my first attempt to run the executable into my 2008 virtual machine (64 bits) failed - DEP intercepted it and prevented the execution.

As for the previous two strains, this one first makes a request to Google.com (GET / HTTP/1.1). It then resolves yerurr.com and does a POST /was/tnk.php with a very long body. In my case, the activity stopped there.

## Tuesday, February 7, 2012

### Deutschen Post Strain 1 - Some information

Nothing to mention, really. I ran the first strain in the same condition ... and got the same outcome. It seems that the two are variants of the same piece of code.

They both try to access Google.com, then resolve "kemolderin.com" and to do a POST request to "/wap/udp.php".

### Deutschen Post Strain 2 - Some information

Since this morning, as I am home sick, I have decided to give Strain 2 from my previous post a try.

I installed a Windows 2008 Standard in a virtual environment to run the malware.

It started by doing a DNS request for "kemolderin.com" (resolution 66.199.231.30 on 02/07/2012 at 2:09 EST). It then connected to that IP on port TCP/80 and did a "POST /wap/udp.php" with a very long string of data.

The answer from the server was "HTTP/1.1 302 Found" , with a few extra data (c0 83 a4 1c 1d 5f 72 ab).

The fun thing is I tried to browse to the same page, but I was greeted with a "Suspended Domain".

At this time, that's it folks. I will monitor the machine next time I reboot it, and I will try with a windows XP as soon as I have one.

### Fedex, DHL, Deutschen Post and you've got ... a virus

Among the many things I truly love about my Google Mail is its ability to detect viruses in what people try to send me. But first things first.

I used to operate my own mail server for nearly a decade. Along the road came the installation of an antis-spam daemon (spamassassin team: you rock!), an attempt at installing an anti-virus/anti-malware using ClamAV, and various other tweaks and tunes to make it (a) work correctly and (b) avoid something that approaches 90% of undesirable content.

Also, as I am more and more often traveling, I installed a webmail application on my server, so I could process my mail without having to establish a POPS/IMAPS connection to my server. This came with the loss of a few features, but all in all, it was working OK.

Then one day, I tried Google Mail. The interface is sleek and easy to use, I have all my features back and things. And Google gets my e-mail on my "own" address.

So recently, I have started getting more and more "Message left on server: ...." as it contains a potential virus or suspicious attachment. And more and more, I have been intrigued about these.

They all purport to come from DHL, FedEx or Deutschen Post. They all have a ZIP attachment, and they all enjoin you to take an immediate action: execute the piece in the attachment. The title are visibly generated at random for the last part, all the zip have an executable. The latter has a title that is non random: in all the recent zip files I received, the exec file name is "Deutschen_Post_oder_DHL-ID.exe".

In these, I have identified two different strains.

The first one has a MD5 hash value of "3162d052c388c5310a5f1a9f429c670c" and a size of 135168 bytes. As of 02/07/2012 10:58am EST, only 14 scanners out of 42 detect the executable file as malware (Report on VirusTotal.com), less than 40%.

The second strain has a MD5 hash value of "c497c6d0b69cb2e03236af82cc651193" and a size of 114688 bytes.  As of 02/07/2012 11:05am EST, only 10 scanners out of 43 detect the executable file as malware (Report on VirusTotal.com), less than 30%.

As (a) the names are consistent except for a random part in the zip file, (b) the archive content is exactly the same within a strain and (c) that I got these from various IPs, I lean toward an automated type of distribution, possibly a worm or a bot type.

I still need to do some homework and play with these to see whether they point to the same "owner".

## Saturday, February 4, 2012

### Upgrade of an Ironport proxy

From time to time, you may experience failure when upgrading a Cisco Ironport from one version to another. In my case, I had been struggling for days to go from 7.1.0 to 7.1.1.

At the CLI, the upgrade command would fail after a certain random time, claiming a network connectivity issue.  I also have a message popping-up:

High Latency: (109.905s) for <coro #1 name='<function coro_reader at 0x296995a4>' dead=0 started=1 scheduled=0 at 0x294b7a44>

The solution - in my case - was to disable WCCPv2 on the box and revert to "L4/no device". The upgrade went through like a charm.