Category Archives: open source

AutoSploit: Automated mass exploitation of remote hosts using Shodan and Metasploit

A “cyber security enthusiast” that goes by VectorSEC on Twitter has published AutoSploit, a Python-based tool that takes advantage of Shodan and Metasploit modules to automate mass exploitation of remote hosts. “Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache,IIS, etc, upon which a list of candidates will be retrieved,” the tool’s creator explained. “After this operation has … More

Skype users are finally getting end-to-end encryption

The move was announced on Thursday by Open Whisper Systems, the software organization behind the open source Signal Protocol, which has been implemented by Microsoft to offer the feature. Private Conversations The option, named Private Conversations, is currently being tested by Skype Insiders and has some temporary limitations. Firstly, it can be used to protect audio calls, text messages, and files (images, audio, videos), but not video calls. Secondly, Private Conversations are limited to one-on-one … More

Developing for the intelligent cloud and intelligent edge at Microsoft Connect(); 2017

Today we’re kicking off Connect(); 2017, one of my favorite annual Microsoft developer events, where over three days we get to host approximately 150 livestreamed and interactive sessions for developers everywhere — no matter the tools they use or the platforms they prefer. Today at Connect(); 2017 I’m excited to share news that will help developers build for the intelligent cloud and the intelligent edge. It’s never been a better time to be a developer, as developers are at the forefront of building the apps driving monumental change across organizations and entire industries. At Microsoft, we’re laser-focused on delivering tools and services that make developers more productive, helping developers create in the open, and putting AI into the hands of every developer so they unleash the power of data and reimagine possibilities that will improve our world.

Any developer, any application, any platform

In previous years at Connect(); we announced the open-sourcing of .NET Core. Last year we announced Microsoft joining the Linux foundation and shared SQL Server on Linux. This year we’re continuing to deliver on our commitment to the open source community and making sure we can support customers no matter their platform of choice.

Azure Databricks — preview: Built in collaboration with the founders of Apache® Spark, Azure Databricks is a fast, easy and collaborative Apache® Spark-based analytics platform optimized for Azure. Azure Databricks combines the best of Databricks and Azure to help customers accelerate innovation with one-click set up, streamlined workflows and an interactive workspace. Native integration with Azure SQL Data Warehouse, Azure Storage, Azure Cosmos DB and Power BI simplifies the creation of modern data warehouses that enable organizations to provide self-service analytics and machine learning over both relational and non-relational data with enterprise-grade performance and governance. Customers inherently benefit from enterprise-grade Azure security, compliance and SLAs, as well as simplified security and identity control with Azure Active Directory integration. With these innovations, Azure is the one-stop destination to unlock powerful scenarios that make AI easy.

Microsoft joins MariaDB Foundation: Today we’re excited to be joining the MariaDB community as a platinum member of the MariaDB Foundation. As part of this membership, we’re committed to working closely with the foundation, actively contributing to MariaDB and the MariaDB community. We’re also announcing we’ll be delivering a preview of Azure Database for MariaDB, which will bring the fully managed service capabilities to MariaDB. Developers can sign up for the upcoming preview for Azure Database for MariaDB.

Azure Cosmos DB with Apache® Cassandra API — preview: With this preview, developers now get a Cassandra-as-a-service using the Cassandra SDKs and tools they are familiar with using the power of Azure Cosmos DB. Developers re-use existing code they’ve already written and build new applications using the Cassandra API against Azure Cosmos DB’s globally distributed, multi-model database service. Azure Cosmos DB has been designed to scale throughput and storage across any number of geographical regions with comprehensive SLAs and with greater consistency levels for more precise data latency management.

GitHub Partnership on GVFS: With GitHub, today we’re announcing Microsoft and GitHub are partnering to bring GVFS to GitHub’s 25 million users. GVFS is an open-source extension to the Git version control system developed by Microsoft to support the world’s largest repositories.

Helping developers be more productive

At Microsoft our mission is to empower every person and every organization on the planet to achieve more, and developers are no exception to this. We have a strong set of new announcements to help developers, as well as whole development teams, be more productive as they move into a world of continual innovation and continual development of their apps. At Connect(); we’re announcing:

 Visual Studio App Center — general availability: The most comprehensive app development lifecycle solution for Objective-C, Swift, Java, Xamarin and React Native, Visual Studio App Center helps developers automate and manage the lifecycle of their iOS, Android, Windows and macOS apps. Developers can connect their repos and within minutes automate their builds, test on real devices in the cloud, distribute apps to beta testers and monitor real-world usage with crash and analytics data, all in one place.

 Visual Studio Live Share — first look: Visual Studio is delivering the next major advancement in developer productivity with Visual Studio Live Share, which enables true real-time collaboration within both Visual Studio and Visual Studio Code. It lets developers seamlessly and securely share their project with other developers so that they can collaboratively edit and debug in real time together without having to sit in front of the same screen or in the same room. Rather than just screen sharing, Visual Studio Live Share lets developers share their full project context with a bi-directional, instant and familiar way to jump into opportunistic, collaborative programming.

Visual Studio Connected Environment for Azure Container Service (AKS) — upcoming preview: Visual Studio and Visual Studio Code will now use the Connected Environment for AKS features, making Kubernetes development a natural for Visual Studio developers. Developers will be able to easily edit and debug cloud native applications running on Kubernetes in the cloud with the speed, ease and full functionality and productivity they’ve come to expect from Visual Studio.

Azure DevOps Projects — preview: Available in the Azure management portal, Azure DevOps Projects will deliver a guided experience, helping developers easily explore the many Azure platform services available to help build their apps and in the process, configure a full DevOps pipeline powered by Visual Studio Team Services.  In less than five minutes, this feature will ensure that DevOps is not an afterthought, but instead the foundation for new projects and one that works with many application frameworks, languages and Azure hosted deployment endpoints.

Take a look at how Columbia Sportswear is leveraging Microsoft’s developer tools and DevOps platform to drive their own digital transformation.

Putting AI in the hands of every developer

As AI becomes more pervasive and developers are able to harness the vast amounts of data being created every day, coupling with the power and scale of the cloud, we want to make it easy for developers to create the next generation of intelligent applications. We want to put AI in the hands of every developer with the tools and platforms they are most familiar with. With the announcements below, we’re delivering new AI tools and bringing machine leaning and intelligence to the edge.

Visual Studio Tools for AI — preview: This is an extension of our popular Visual Studio IDE, which will allow developers and data scientists to create AI models with maximum productivity. Visual Studio Tools for AI delivers debugging and rich editing, with the support of most deep learning frameworks such as Cognitive Toolkit, TensorFlow or Caffe. With this addition, developers and data scientists have a full development experience at their fingertips to create, train, manage and deploy models locally, and scale to Azure.

Azure IoT Edge — preview: Today we’re making available the preview of Azure IoT Edge, a service that deploys cloud intelligence to IoT devices via containers, and we’re introducing a new set of breakthrough cloud capabilities to run on IoT Edge, with Azure Machine Learning, Azure Functions and Azure Stream Analytics. Azure IoT Edge enables developers to build and test container-based workloads using C, Java, .NET, Node.js and Python, and simplifies the deployment and management of workloads at the edge. Azure IoT Edge can run on IoT devices with as little as 128MB of memory. As part of this announcement, we’re also releasing Azure Machine Learning updates, which enables AI models to be deployed and run on edge devices through the Azure IoT Edge service. Additional updates include easier AI model deployment on iOS devices with Core ML, as well as updates to the Azure Machine Learning Workbench tool.

Every year at Connect(); we get to share new tools and services that we hope will empower and inspire developers to build great apps. I encourage you to tune into Connect(); 2017 to learn more about all of the new innovations we’re announcing today, and to see what you can reimagine.

 

 

 

The post Developing for the intelligent cloud and intelligent edge at Microsoft Connect(); 2017 appeared first on The Official Microsoft Blog.

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequently get out of date and it is hard to change or add new things. There is also a constant fear that if the VM gets corrupted it would be super tedious to replicate all of the settings and tools that I’ve built up over the years. To address this and many related challenges, I have developed a standardized (but easily customizable) Windows-based security distribution called FLARE VM.

FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

The distribution also includes the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG.

How To Get It

You are expected to have an existing installation of Windows 7 or above. This allows you to choose the exact Windows version, patch level, architecture and virtualization environment yourself.

Once you have that available, you can quickly deploy the FLARE VM environment by visiting the following URL in Internet Explorer (other browsers are not going to work):

http://boxstarter.org/package/url? https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1

After you navigate to the above URL in the Internet Explorer, you will be presented with a Boxstarter WebLauncher dialog. Select Run to continue the installation as illustrated in Figure 1.


Figure 1: FLARE VM Installation

Following successful installation of Boxstarter WebLauncher, you will be presented with a console window and one more prompt to enter your Windows password as shown in Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting you to login every time.


Figure 2: Boxstarter Password Prompt

The rest of the process is fully automated, so prepare yourself a cup of coffee or tea. Depending on your connection speed, the initial installation takes about 30-40 minutes. Your machine will also reboot several times due to the numerous software installation’s requirements. During the deployment process, you will see installation logs of a number of packages.

Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only mode so that malware samples would not accidentally connect to the Internet or local network. Also, take a fresh virtual machine snapshot so this clean state is saved! The final FLARE VM installation should look like Figure 3.


Figure 3: FLARE VM installation

NOTE: If you encounter a large number of error messages, try to simply restart the installation. All of the existing packages will be preserved and new packages will be installed.

Getting Started

The VM configuration and the included tools were either developed or carefully selected by the members of the FLARE team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade. All of the tools are organized in the directory structure shown in Figure 4.

Figure 4: FLARE VM Tools

While we attempt to make the tools available as a shortcut in the FLARE folder, there are several available from command-line only. Please see the online documentation at http://flarevm.info for the most up to date list.

Sample Analysis

In order to best illustrate how FLARE VM can assist in malware analysis tasks let’s perform a basic analysis on one of the samples we use in our Malware Analysis Crash Course.

First, let’s obtain some basic indicators by looking at the strings in the binary. For this exercise, we are going to run FLARE’s own FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for additional information about the tool. You can launch it by clicking on the FLOSS icon in the taskbar and running it against the sample as illustrated in Figure 5.


Figure 5: Running FLOSS

Unfortunately, looking over the resulting strings in Figure 6 only one string really stands out and it is not clear how it is used.


Figure 6: Strings Analysis

Let’s dig a bit more into the binary by opening up CFF Explorer in order to analyze sample’s imports, resources, and PE header structure. CFF Explorer and a number of other utilities are available in the FLARE folder that can be accessed from the Desktop or the Start menu as illustrated in Figure 7.


Figure 7: Opening Utilities

While analyzing the PE header, there were several indicators that the binary contains a resource object with an additional payload. For example, the Import Address Table contained relevant Windows API calls such as LoadResource, FindResource and finally WinExec. Unfortunately, as you can see in Figure 8 the embedded payload “BIN” contains junk so it is likely encrypted.


Figure 8: PE Resource

At this point, we could continue the static analysis or we could “cheat” a bit by switching over to basic dynamic analysis techniques. Let’s attempt to quickly gather basic indicators by using another FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality by presenting it with fake services such as DNS, HTTP, FTP, IRC and many others. Please visit http://fakenet.info for additional information about the tool.

Also, let’s launch Procmon from Sysinternals Suite in order to monitor all of the File, Registry and Windows API activity as well. You can find both of these frequently used tools in the taskbar illustrated in Figure 9.


Figure 9: Dynamic Analysis

After executing the sample with Administrator privileges, we quickly find excellent network- and host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s attempt to communicate with evil.mandiant.com using HTTP protocol. Here we capture useful indicators such as a complete HTTP header, URL and a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact process communicating which is level1_payload.exe. This process name corresponds to the unique string that we have identified in the static analysis, but couldn’t understand how it was used.

Figure 10: FakeNet-NG

Comparing our findings with the output of Procmon in Figure 11, we can confirm that the malware is indeed responsible for creating level1_payload.exe executable in the system32 folder.


Figure 11: Procmon

As part of the malware analysis process, we could continue digging deeper by loading the sample in a disassembler and performing further analysis inside a debugger. However, I would not want to spoil this fun for our Malware Analysis Crash Course students by sharing all the answers here. That said all of the relevant tools to perform such analysis are already included in the distribution such as IDA Pro and Binary Ninja disassemblers, a nice collection of debuggers and several plugins, and many others to make your reverse engineering tasks as convenient as possible.

Have It Your Way

FLARE VM is a constantly growing and changing project. While we try to cover as many use-case scenarios as possible it is simply impossible due to the nature of the project. Luckily, FLARE VM is extremely easy to customize because it was built on top of the Chocolatey project. Chocolatey is a Windows-based package management system with thousands of packages. You can find the list here: https://chocolatey.org/packages. In addition to the public Chocolatey repository, FLARE VM uses our own FLARE repository which constantly growing and currently contains about 40 packages.

What all this means is that if you want to quickly add some package, let’s say Firefox, you no longer have to navigate to the software developer’s website. Simply open up a console and type in the command in Figure 12 to automatically download and install any package:


Figure 12: Installing packages

In a few short moments, Firefox icon is going to appear on your Desktop with no user interaction necessary.

Staying up to date

As I’ve mentioned in the beginning, one of the hardest challenges of unmanaged Virtual Machine is trying to keep all the tools up to date. FLARE VM solves this problem. You can completely update the entire system by simply running the command in Figure 13.


Figure 13: Staying up to date

If any of the installed packages have newer versions, they will be automatically downloaded and installed.

NOTE: Don’t forget to take another clean snapshot of an updated system and set networking back to Host-Only.

Conclusion

I hope you enjoy this new free tool and will adopt it as another trusted resource to perform reverse engineering and malware analysis tasks. Next time you need to set up a new malware analysis environment, try out FLARE VM!

In these few pages, we could only scratch the surface of everything that FLARE VM is capable of; however, feel free to leave your comments, tool requests, and bugs on our Github issues page here: https://github.com/fireeye/flare-vm or http://flarevm.info/.

Five Reasons I Want China Running Its Own Software

Periodically I read about efforts by China, or Russia, or North Korea, or other countries to replace American software with indigenous or semi-indigenous alternatives. I then reply via Twitter that I love the idea, with a short reason why. This post will list the top five reasons why I want China and other likely targets of American foreign intelligence collection to run their own software.

1. Many (most?) non-US software companies write lousy code. The US is by no means perfect, but our developers and processes generally appear to be superior to foreign indigenous efforts. Cisco vs Huawei is a good example. Cisco has plenty of problems, but it has processes in place to manage them, plus secure code development practices. Lousy indigenous code means it is easier for American intelligence agencies to penetrate foreign targets. (An example of a foreign country that excels in writing code is Israel, but thankfully it is not the same sort of priority target like China, Russia, or North Korea.)

2. Many (most?) non-US enterprises are 5-10 years behind US security practices. Even if a foreign target runs decent native code, the IT processes maintaining that code are lagging compared to American counterparts. Again, the US has not solved this problem by any stretch of the imagination. However, relatively speaking, American inventory management, patch management, and security operations have the edge over foreign intelligence targets. Because non-US enterprises running indigenous code will not necessarily be able to benefit from American expertise (as they might if they were running American code), these deficiencies will make them easier targets for foreign exploitation.

3. Foreign targets running foreign code is win-win for American intel and enterprises. The current vulnerability equities process (VEP) puts American intelligence agencies in a quandary. The IC develops a zero-day exploit for a vulnerability, say for use against Cisco routers. American and Chinese organizations use Cisco routers. Should the IC sit on the vulnerability in order to maintain access to foreign targets, or should it release the vulnerability to Cisco to enable patching and thereby protect American and foreign systems?

This dilemma disappears in a world where foreign targets run indigenous software. If the IC identifies a vulnerability in Cisco software, and the majority of its targets run non-Cisco software, then the IC is more likely (or should be pushed to be more likely) to assist with patching the vulnerable software. Meanwhile, the IC continues to exploit Huawei or other products at its leisure.

4. Writing and running indigenous code is the fastest way to improve. When foreign countries essentially outsource their IT to vendors, they become program managers. They lose or never develop any ability to write and run quality software. Writing and running your own code will enroll foreign organizations in the security school of hard knocks. American intel will have a field day for 3-5 years against these targets, as they flail around in a perpetual state of compromise. However, if they devote the proper native resources and attention, they will learn from their mistakes. They will write and run better software. Now, this means they will become harder targets for American intel, but American intel will retain the advantage of point 3.

5. Trustworthy indigenous code will promote international stability. Countries like China feel especially vulnerable to American exploitation. They have every reason to be scared. They run code written by other organizations. They don't patch it or manage it well. Their security operations stink. The American intel community could initiate a complete moratorium on hacking China, and the Chinese would still be ravaged by other countries or criminal hackers, all the while likely blaming American intel. They would not be able to assess the situation. This makes for a very unstable situation.

Therefore, countries like China and others are going down the indigenous software path. They understand that software, not oil as Daniel Yergen once wrote, is now the "commanding heights" of the economy. Pursuing this course will subject these countries to many years of pain. However, in the end I believe it will yield a more stable situation. These countries should begin to perceive that they are less vulnerable. They will experience their own vulnerability equity process. They will be more aware and less paranoid.

In this respect, indigenous software is a win for global politics. The losers, of course, are global software companies. Foreign countries will continue to make short-term deals to suck intellectual property and expertise from American software companies, before discarding them on the side of Al Gore's information highway.

One final point -- a way foreign companies could jump-start their indigenous efforts would be to leverage open source software. I doubt they would necessarily honor licenses which require sharing improvements with the open source community. However, open source would give foreign organizations the visibility they need and access to expertise that they lack. Microsoft's shared source and similar programs were a step in this direction, but I suggest foreign organizations adopt open source instead.

Now, widespread open source adoption by foreign intelligence targets would erode the advantages for American intel that I explained in point 3. I'm betting that foreign leaders are likely similar to Americans in that they tend to not trust open source, and prefer to roll their own and hold vendors accountable. Therefore I'm not that worried, from an American intel perspective, about point 3 being vastly eroded by widespread foreign open source adoption.

TeePublic is running a sale until midnight ET Thursday! Get a TaoSecurity Milnet T-shirt for yourself and a friend!