I’m going to say some things, that might be the last thing I’ll ever be able to say (You’ll see why in the next paragraph ). Open source is as secure as much as the developers made it secure. It is not more secure then close source, and it’s not better then closed code. It’s merely code !

Most of the open source community (Hey I also develop open source tools and programs) try to sell us that Open = Secure. When Internet Explorer had a lot of security risks one after the other, firefox developers came and told us that in Open source it would have never happen. there are 10000000 (I must have missed few O ) eyes on the code so it’s can not be less secure, only more secure….

Ammm.. OK (I’m starting to look for a place to hide right about now )

The fact is, that for better, and more secure code, the first thing we have to do, is to educate people to think and be paranoid. Yeah! You can not trust any user input, any result of system function, and you must validate them over and over again.

You must check the input and see that it does not overflow the amount of memory you are willing to give your buffers.

You must sanitize (filter) any char you do not wish to see and have.
And escape anything that you must have, but may effect your program.

But wait, thats still does not give us secure programs and code, only start making us understand better the risks. For example, Off by one can happen to every one… specially after alcohol is involved

And what about the user control our function jumps (you know change hard coded our machine code of the program), or inject us with system functions of his like… We can sanitize the input we getting back form the function, but we can not control what happen on the function itself…

Or even bugs that we didn’t thought we had, and someone found them and exploit them. Or as Knuth one said: “I just proved that my claim is right, but I haven’t tested my code with a compiler” (I’m quoting from memory…)

But I just realize that thats not the thing I needed to start with… I should have said, that we are not educated to think in more secure manners. In high schools and universities we are taught to assume that the user input is somewhat correct, and all we need to do is focus on the functionality of the program.
We are also taught that there is only one “right” way to do thing and thats the professor way

So before every one starts jumping and accusing something to be more/less secure, lets start teaching people to do things in a more secure way… So how do we start ?

An exploit that I can not give you exists for Mozilla (Gecko) based web browsers, and I also tested it on KDE’s Konqueror to find out that the problem exists there as well…

The bug was found by Georgi Guninski. For those who don’t know him, he is almost a “bug hunter for hire”.

So why can’t I give you the exploit ?

Well Mr. Guninski wrote the following in his Exploit:

Cannot be used in vulnerability databases
Especially securityfocus/mitre/cve/cert

And when we (SecuriTeam) sent him a private email about it, he told the entire world:

no.

you don’t have my permission.
try buying a licence with ca$h.

BTW If you really wish to see the Exploit, you can visit bugzilla

So I have one question, what ever happened to the idea of full disclosure?! I believe in it, and I saw how good it does for many products, that only when exploits and advisories came out, the vendor actually fixed the problems …

Now that I have your attention well Commwarrior is a worm that is spreading to Bluetooth based Cellular phones. Actually it spreads to Symbian Series 60 devices using MMS and Bluetooth communication.

MMS, for those that don’t know, stands for “Multimedia Messaging System”, a younger brother of SMS, that allows 3G cellular phones to send short sounds, movie clips and other multimedia as a message that looks like SMS, using the Internet Message Format (RFC 2822) . MMS starting to be highly popular like many other gimmicks of the 3rd generation and the world of cellular phones.

Anyway, as far as I could find, there are two versions of Commwarrior, both of them spread by “Virtual Sex”. It does so by looking for Bluetooth phones near by, and sending them infected SIS file. The SIS files that Comwarrior sends are named with random file names, so you can’t just ignore a certain file name and be safe.

Regardless of Bluetooth, the worm also tries to send MMS with itself to all of the phones listed on the contact/address books.

Here some details from F-Secrue about the worm:

The Comwarrior contains the following texts:

CommWarrior v1.0 (c) 2005 by e10d0r
ATMOS03KAMA HEAT!

The text “OTMOP03KAM HET!” is Russian and means roughly “No to braindeads”.

Replication over bluetooth

Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl.

The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.

The Comwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range. And possible spreading faster than Cabir.

Commwarrior replicates over Bluetooth only from 08:00 to 23:59, based on the phone’s own clock.

Replication over MMS

Comwarrior replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain variable text message and Comwarrior SIS file with filename commw.sis.

Unlike in bluetooth spreading the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.

The numbers where Commwarrior sends the MMS messages are read from the phone address book.

The comwarrior uses following texts in MMS spreading:

MatrixRemover
Matrix has you. Remove matrix!

3DGame
3DGame from me. It is FREE !

MS-DOS
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPCemu
PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner
Nokia RingtoneManager for all models.

Security update #12
Significant security update. See www.symbian.com

Display driver
Real True Color mobile display driver!

Audio driver
Live3D driver with polyphonic virtual speakers!

Symbian security update
See security news at www.symbian.com

SymbianOS update
OS service pack #1 from Symbian inc.

Happy Birthday!
Happy Birthday! It is present for you!

Free SEX!
Free *SEX* software for you!

Virtual SEX
Virtual SEX mobile engine from Russian hackers!

Porno images
Porno images collection with nice viewer!

Internet Accelerator
Internet accelerator, SSL security update #7.

WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com

Internet Cracker
It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector
Save you battery and *MONEY*!

3DNow!
3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager
Official Symbian desctop manager.

CheckDisk
*FREE* CheckDisk for SymbianOS released!MobiComm
Norton AntiVirus
Released now for mobile, install it!

Dr.Web
New Dr.Web antivirus for Symbian OS. Try it!

Infection

When the Comwarrior SIS file is installed the installer will copy the worm executables into following locations:

\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl

When the comwarrior.exe is executed it copies the following files:

\system\updates\commrec.mdl
\system\updates\commwarrior.exe

And rebuilds it’s SIS file to:

\system\updates\commw.sis

After recreating the SIS file the worm starts spreading over MMS.

Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone’s own clock.

For reference please look at:
F-Secure Commwarrior.A
F-Secure Commwarrior.B
MMS
rfc2822
Some Bluetooth stuff
Bluetooth specs

Yesterday someone reminded me the “hacking” styles used in two Sci-Fi TV series that he has seen:

1. Babylon 5
2. Battle Star Galactica

In the middle of the Babylon 5 series, there is an episode that takes the memory of John Sheridan and Delane to see what happens to the human race after 70 years, few hundreds of years and so on… In one of these timelines, we see Mr. Giraboldy that is now a hologram, “hack” into the systems of some people on earth that are at war with people on Mars. When the person asks him “how were you able to do it ?” Mr. Giraboldy answers: “I saw how you accessed the systems and used my experience to understand how to hack it.”

In Battle Star Galactica, we saw in the first session that the computers of Galactica where never online and therefore the Cylon virus never effected them. On the first episode of the second session, Galactica lost the rest of the spaceships and the only way to find them on space was to use grids with all of the computers on the ship. When they did so, they became open to attacks because there was a network, and the Cylon virus could spread to the main computer core. The most funny part there was the fact that they could identify the virus, but never thought to fix vulnerabilities that caused the virus to spread … (and people call it Sci-Fi …).

To make long story short, on both cases we see how social engineering turns the table. I read today an advisory that shows how easy it is to bypass Microsoft Windows XP SP2 firewall. It is partly problematic, because attackers require access and write permissions to the registry. But then I remembered that Windows requires Administrator privileges to play many computer games.

I’ll repeat it: You need to have Administrator privileges in windows in order to play games !

When I try to teach people not to use this user, I receive answers like: “but I can’t do something X if I’m not an administrator user” or “But I have an antivirus and a firewall, and any other anti maleware tool”. But still we get reports such as: “Microsoft Windows keybd_event Validation Vulnerability” that are given very high priority on security channels.

When problems such as the Israeli trojan occurs, you may think that people will learn not to use administrator based users… But no! they do not. And the worst issue, is that most places in the world did not report this issue. It was not very different from any other known problem, but it was important for teaching people that Social Engineering is a very serious flaw.

We all need to learn how to work a bit different with our computer. Security comes from restricting what you can and can not do, not by installing 100 types of protection methods. Because all it takes is one program not to be detected and all of your measures are for nothing.

I’m an administrator of a VPS (Virtual Private Server). A few days ago I noticed something weird on the VPS : a weird process running a Perl script, that redirects its output to the O mighty black hole: /dev/null. The prompt variable of Bash (PS1) was set to be empty and the script itself was written like a VBA code (without indentation or line breaks). When I made a quick glance at the script, I saw that one Regex inside was looking for a command such as rmdir (for example), and it will unlink a directory.

Sounds like a back door that someone wrote, and all that it needs now is to open a shell for you and get over with it …

Well NO! This script was used by KDE (in this case) for simple SSH connection, that mimics the behavior of sftp, but over a simple ssh connection. The owner of the VPS used the KDE’s way (Konqueror ?) to login into the server… and KDE installed the script for the user.
Now when the user logged in, the commands “users” and “who” will not show you the user itself (“who -a” will show something, but not who is the user or the IP of the connected user). “last” also will not give you much information about the login, and if you try to hide the process, then even “ps” will not help (I first saw that issue using ps)…
Oh btw the script also read and wrote information to and from /var/log/messages.

BTW, this script implements the FISH protocol.

How do I know that you ask? Well thats what the Perl script says .
It seems that KDE (and other clients) try to help their users by implementing a sftp like actions without leaving the ssh client.

Sounds cool ? well I guess so… but then again, it IS a back door. That is if someone will be able to make the “server” talk with him without any need for authentication.

People should stop being lazy, and start using the right tool for the right job. Using FISH, can be exploited the same way that rlogin, telnet and NULL Session are .

The following illustrates how Dilbert’s Dogbert uses social engineering to get Pointy Boss to give him his social security number and password :

I recently encountered a company that requested to be scanned for known vulnerabilities and requested a report about the status of their servers. The company protected their servers with IPS, that blocks connections from anyone that attempts to perform port scans etc… So the port scan failed, our scanning server was blocked, and the company was very happy that their IPS was able to block the scan. They received a report that said their servers were ‘black holes’. They were unhappy with the report, and wanted a confirmation that their servers are not vulnerable.

I do not like this type of arrogance by people. They think they’re smart, and then some script kiddie comes and tries for his first time some exploit, and breaks into their system without breaking a sweat.

This arrogance comes from IT personnel that regard IDS and IPS as really cool tools, as they can use them to show their bosses “look Mr. Boss no one can penetrate us, as we are blocking any attempt to scan us.”. Mr. Boss would then conclude and say: “cool, so we are now ‘hacker free’”

Well here most people will say to themselves YES! but that is not the case people !!!

IDS/IPS are only one gate to be passed. Sometimes it’s easier to use an HTTP, SMTP, WHATEVER most used open services and penetrate using these services…

Most of the people that are reading these words, probably know how to do it, by using known vulnerabilities in the services the company is using.

But how can someone know what is the exact service that this company uses ? amm lets see. Lets post an email to a company, and ask them for more information about their product. We are doing so, to see an email signature of a server/client/path/feel in the missing field. Oh wait, that was too hard, lets see the web page of the company. OK It’s ASP. Lets look at a 404 page… Yeap it have a different strings inside every version … So I know what to exploit for each version …

Another way to know it, is by using Javascript that will return to me a list of system variables from the server… Some variables exists only for specific servers. And that’s just two very short examples…

So you see Mr. Boss ? I can’t port scan you, and some other type of “brute force” actions, but I can gather information, and even exploit your system with their known vulnerabilities (or zero day ones). You are not protected by IDS/IPS, only put the dirt under the rug.

IDS/IPS are as good as the rest of your services security, and they can help with preventing attacks, but only when everything else works well.

Or in less harsh words, don’t hide the problems, solve them instead.