Monday, December 13, 2010

Pergi yang takkan kembali

PENGHUJUNG DUNIA

Saat naluri nan meruntun,
Saat yang kenal lupa santun,
Saat yang kaku yang ditonton,
Saat jiwa terasa serun.

Aku yang bertanya,
Mana aku hujung dunia,
Harap kekal di jalan-Nya,
Berpegang pada kalimatNya.

Biar aku di jalan kalimat,
Dalam menafi dan mengisbat,
Hidupku tiada terikat,
Dua kalimat punca azimat.

Biar bersabar pada hakikat,
Bercanang pada makrifat,
Bersembunyi dalam syariat,
Menjadi hamba yang munafaat.

Jalanku masih jauh,
Merenung masih jenuh,
Tiada ia akan tertangguh,
Terus kekal dalam disuruh.

Tiada ubat selain sabar,
Tiada penawar selain redha.

tintaresam
1:35 PM
14122010

Friday, December 3, 2010

Climbing rocks!

After a long thought, yesterday I've decided to follow my friend to go climbing for the first time. It was a bouldering gym called MadMonkeyz located in Wangsa Maju. I didn't thought it would be interesting, but I was wrong.

Before this, I look climbing as a dangerous sport and what you need to do is climb to the top. But now I realized that climbing is not just about that. It's about strength, techniques, technical, and the trickiest part is, solving the puzzle of route.

With some research on the Internet, I've figured out that there are several types of climbing, where each of it have its own mission and requirement. Below are the basic types of climbing that most commonly done;

Boulder

Regardless of rock or wall, boulder is a type of climbing where people climb without rope. Most of the time, bouldering is not about going high, but it is about traversing on the route of rock or wall. All you need is a climbing shoe and chalk. In terms of safety, usually people bring a boulder mattress in case of unplanned falling. But in boulder gym, the floor usually covered with tick mattress. Bouldering is about getting the strength and stamina, sharpen your climbing techniques, and solving the puzzle of the route.



Top Rope

From the name itself, top rope require us to use climbing rope where the rope will be intersect between the climber and belayer by the top anchor. Top roping is commonly done by beginner in climbing where they tries get familiar with the technical side of climbing, its safety measurement, and getting on top and fight the fear of height. Top roping require us to have at least 2 people where the 1st person as a climber and the other one as a belayer. Belayer is a person who will be on the ground and tighten the rope as the climber getting higher.

Other than climbing rope, we also need to have harnesses for climber and belayer, and a belay device. In a safety perspective, in case of falling, climber will depends on the climbing rope, harness and belayer. Climbing rope, mostly use a dynamic rope, will help absorb the climber's falling inertia and usually it can support up to 5 - 10 kN which is around 5 - 10 tonnes. Same goes to harness where it has its own scale of supported weight. As for belayer and his belay device, he plays a vital role in safeness of the climber. With a good condition belay device, as well as attention in belaying steps, it will help climber to have a safe journey to the top.



Lead Climbing

For those who are getting to the next step of adventure in climbing, lead climbing is the answer. Most of the time, after getting an improvement in climbing techniques, understanding of technical part and its safety measurement, people tends to move to lead climbing. Similar to top roping, lead climbing require 2 persons (climber and belayer), rope(s), harnesses, and belay device, and its about getting to the top of the route. What makes it a bit different and adventurous than top roping is, it require addition equipments such as quickdraws, sling rope, more carabiners.

Unlike top rope where the rope is already in the top anchor, lead climbing will start its rope from the ground where the climber will place the quickdraw and rope attached to his harness every times he gets higher. Means that, each time the climber go up, the last anchor for his rope will be below him. In terms of safety, lead climbing will need both climber and belayer's understanding of technical part of each gear and the route. Getting the rope too slack will endanger the climber, getting too tight will make the climber hard to move and/or put the rope on quickdraw. A good communication and understanding between climber and belayer will makes a climbing a great experience.


Regardless of type of climbing, with safety precaution, climbing techniques, as well as motivation to get the route done, we will surely going to have a great experience in climbing. Well, at the time I wrote this, my hand start to sweat. Can't wait for the next session and put the chalk all over my hand. Heh

Wednesday, November 24, 2010

Antaramuka Pengaturcaraan Aplikasi untuk VirusTotal

Virustotal telah menjadi salah sebuah tempat rujukan yang sangat berguna dalam memastikan sesebuah fail itu berbahaya atau tidak. Jika dilihat dari sisi hadapan, virustotal telah mengumpulkan antivirus-antivirus yang terkenal sebagai enjin untuk memberitahu tentang status sesebuah fail yang ingin dikesan. Ini ketara keberkesanannya dari sudut keutuhan sesebuah keputusan, yang mana, rujukan silang (cross-reference) diantara kesemua antivirus-antivirus dapat dilihat di dalam virustotal, seterusnya dapat mengurangkan kadar kesilapan dalam proses pengesanan.

Untuk menambahbaik lagi skop kemampuan dan fungsi virustotal, virustotal telah ditambah dengan fungsi antaramuka pengaturcaraan aplikasi virustotal, atau VirusTotal API. Dengan menggunakan Virustotal API, kita boleh memuatnaik dan mengesan fail serta URL, atau mengakses laporan fail yang telah dimuatnaik sebelum ini, tanpa melalui laman web utama virustotal. Ia boleh dilakukan dengan melaksanakan permintaan HTTP Post ke URL tertentu di virustotal. Untuk maklumat lanjut mengenai gerak kerja VirusTotal API serta cara-cara perlaksanaannya, sila klik disini.

Saya juga tidak terkecuali dalam memanfaatkan kegunaan VirusTotal API dalam beberapa projek yang saya jalankan. Berikut adalah implimentasi ringkas menggunakan bahasa pengaturcaraan ruby untuk mengakses laporan yang sudah sedia ada di pengkalan data Virustotal berdasarkan MD5 hash yang disediakan oleh kita ;


#!/usr/bin/ruby
require 'net/https'
require 'uri'
require 'digest/md5'
require 'rubygems'
require 'json'

def virustotal(file)
md5 = Digest::MD5.hexdigest(File.read(file))
uri = URI.parse("https://www.virustotal.com/api/get_file_report.json")
key = 'LETAK-VIRUSTOTAL-API-KEY-ANDA-DISINI'

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

request = Net::HTTP::Post.new(uri.request_uri)
request.set_form_data({'resource' => md5, 'key' => key})
response = http.request(request)

get_file_report = JSON.parse(response.body)
result = get_file_report['report']

puts "Date submitted: " + result[0]

result[1].each do |av,res|
if res.empty? == false
print "#{av.rjust(14)}: #{res}\n"
end
end
end

if ARGV.length == 1
virustotal(ARGV[0])
else
puts "Usage: #{__FILE__} file"
end

Wednesday, November 3, 2010

No endstream, no endobj, no worries

In analyzing malicious PDF documents, being able to understand the format of its object structure is definitely useful. In order to look for malicious content inside the file, we might need to go through some of the process that’ll include interpreting the PDF object structure.

The PDF object is enclosed with “obj” and “endobj”. Between the “obj” and “endobj” there are usually 2 components, object dictionary and stream. Object dictionary are represented by keys and values that enclosed with “<<” and “>>”, while stream is a sequence of bytes. A stream shall consist of zero or more bytes bracketed between the keywords stream (followed by newline) and endstream.

The below snippet reflects the normal PDF object structure;

obj 1 0
<< /Length 12 >>
stream
HELLO WORLD!
endstream
endobj

The obj 1 0 contains the dictionary (in between << and >>) of /Length (key) with value of 12. Below the dictionary, the stream exist with string “HELLO WORLD!” just before the endstream. Finally, thehe object structure is closed with endobj tag which indicate the end of object 1 0′s portion.

Although the PDF object structure is rather easy to understand, these structure can also be easily manipulated in many ways for malicious intent. The main reason of manipulation purpose is to break the analysis process particularly for PDF analysis tools. How can the PDF object structure be manipulated? Usually attackers omit some syntax or tags required within the object. This omission, however, seems to be considered as valid structure by PDF reader such as Adobe Reader. For example:

Object without “endobj” 
obj 1 0
<< /Length 1337 >>
stream
HELLO WORLD!
endstream

Object without “endstream” 
obj 1 0
<< /Length 1337 >>
stream
HELLO WORLD!
endobj

So-called bluff trick 
obj 1 0
<< /Length 1337 >>
stream
HELLO WORLD!endstream\n
endstream
endobj

In the 3 examples above, we can see that even when some components are dropped (or added) from/to the structure and the PDF reader can still render the text without generating any error.

In the last snippet, we can see the use the bluff trick to confuse the security tools in getting the right portion of stream. When pattern matching technique is used, the script/tool might not get the complete stream content since it got confused between the first and the second endstream. A proper handling of these manipulation should be considered thoroughly in order to get a reliable extraction.

Generalizing the security tools seems to be a crucial task in order for it to work in any conditions encountered. Pattern matching technique alone will not work. Understanding the format within the PDF object helps a lot in the process of generalizing the analysis tools.

For example, in a normal manipulation method, attackers cannot get rid of the “endstream” and “endobj”‘s tag simultaneously. Instead, either “endstream” or “endobj” or both will exist. From our rough solution, a regular expression like />>.*?stream(.*?)(endstream|endobj)/m can be reliably implemented with aid of other filtering mechanism.

Thursday, August 26, 2010

Gallus, yet another PDF analyzer (alpha)

Introducing Gallus

Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents.

How Gallus Works

Gallus is designed to extract and analyze the malicious components resides inside PDF documents. If the component exist, it will gone through a series of analysis to collect further malicious element that might exist.

Extracting and Parsing

Usually, a malicious PDF document uses JavaScript code to trigger the vulnerability(s) and to execute the payload. By detecting and parsing the embedded JavaScript code, we are able to determine the maliciousness of the PDF document.

Analysis

After the detected code is parsed, a series of analyses will be conducted to obtain the shellcode used for payload and also the vulnerability(s) that’ll be exploited. Most of the malicious PDF document will use obfuscation techniques to bypass the analysis process. To encounter such techniques, Gallus uses Spidermonkey to interpret the obfuscated code plus other deobfuscation modules.

Exploit

From the malicious JavaScript code, we can determine the vulnerability(s) used. To name some of the exploit that usually used inside malicious PDF documents are:

(CVE-2007-5659) collab.CollectEmailInfo
(CVE-2008-2992) util.printf
(CVE-2009-0927) collab.getIcon
(CVE-2009-4324) media.newPlayer

Shellcode

Gallus is able to detect and extract shellcode inside malicious PDF document. From the shellcode obtained, we are able to determine the behaviour of the shellcode by using shellcode analyzer. In a usual cases, we might also found potential malware URL used in URLDownloadToFile payload.

Status

Gallus categorize the submitted PDF document into Malicious, Suspicious, and Benign. Malicious status indicates the exploit and shellcode are detected inside PDF document. Suspicious status indicates the JavaScript code inside the document contains doubtful instructions. Benign status indicates the PDF document does not contains any exploit, shellcode, or doubtful code.

Using Gallus

Gallus allows sample submission via two methods, file submission and URL submission. Upon submitting your file, Gallus will extract and run various analyses to identify the content of the file.

To give it a try, click here.

Saturday, April 10, 2010

Referencing yourself with arguments.callee()

Obfuscation using arguments.callee() in java scripts is widely seen in browser exploitation and malicious PDF attacks. This kind of obfuscation could be a bit tricky to handle for security analyst.

The arguments.callee() call is used normally to prevent security analyst from modifying the malicious function. The variable that holds the arguments.callee will be validated in order to detect whether code has be altered or not. If yes, then the code will generate a false result or no result at all.

Based on the JavaScript reference, the variable that is assigned with arguments.callee() will store the function’s content where the call is residing. The example below is a simple JavaScript code that validates the length of the characters in the function’s content. If the function is altered and the length is increased, the false result will be called.

function malicious_fn(arg1, arg2) {
 var validate = arguments.callee.toString();
 if (validate.length <= 198) {
   eval(unescape(arg1));
 }
 else {
   eval(unescape(arg2));
 }
}

malicious_fn("%54%68%69%73%20%69%73%20%6d%61%6c%69%63%69%6f%75%73%21","%54%68%69%73%20%69%73%20%6e%6f%74%20%6d%61%6c%69%63%69%6f%75%73%21");

In order to bypass this kind of obfuscation trick, we can circumvent the trap by replacing the variable ‘validate’ with the original malicious_fn function.

function malicious_fn(arg1, arg2) {
 var validate = unescape("%66%75%6e%63%74%69%6f%6e%20%6d%61%6c%69%63%69%6f%75%73%5f%66%6e%28%61%72%67%31%2c%20%61%72%67%32%29%20%7b%0d%0a%09%76%61%72%20%76%61%6c%69%64%61%74%65%20%3d%20%61%72%67%75%6d%65%6e%74%73%2e%63%61%6c%6c%65%65%2e%74%6f%53%74%72%69%6e%67%28%29%3b%0d%0a%0d%0a%09%69%66%20%28%76%61%6c%69%64%61%74%65%2e%6c%65%6e%67%74%68%20%3c%3d%20%31%39%38%29%20%7b%0d%0a%09%09%65%76%61%6c%28%75%6e%65%73%63%61%70%65%28%61%72%67%31%29%29%3b%0d%0a%09%7d%0d%0a%09%65%6c%73%65%20%7b%0d%0a%09%09%65%76%61%6c%28%75%6e%65%73%63%61%70%65%28%61%72%67%32%29%29%3b%0d%0a%09%7d%0d%0a%7d");

 if (validate.length <= 198) {
   eval(unescape(arg1));
 }
 else {
   eval(unescape(arg2));
 }
}

malicious_fn("%54%68%69%73%20%69%73%20%6d%61%6c%69%63%69%6f%75%73%21","%54%68%69%73%20%69%73%20%6e%6f%74%20%6d%61%6c%69%63%69%6f%75%73%21");

This example code is just a basic demonstration of how arguments.callee() is practically being used in real malicious code. Bear in mind that there are hundreds of ways arguments.callee() can be used to make your life miserable as an analyst. The is only way for us to handle this annoyance is by understanding how the code works.