Brain Dump: Ubuntu 7.04 Feisty Fawn, School, Giving Back, Blogging

I recently loaded up a new vir­tual machine with Ubuntu 7.04 Feisty Fawn (32-bit) run­ning on Vista Ulti­mate (64-bit) and have had no prob­lems thus far.  Every­thing works, dual mon­i­tors, sound, net­work­ing, etc…

I’m seri­ously impressed with the qual­ity of VMWare Work­sta­tion 6.  I’ve been a user of their prod­uct since ver­sion 4, and it’s done noth­ing but improve.  I’m also impressed with Ubuntu.  It took almost zero effort in order to get a work­ing sys­tem installed to disk. After the install a sim­ple sudo apt-get install build-essential was all I needed to get what I need for development.

My rea­sons for the linux vm are 2 fold. First of all I pre­fer it to win­dows as a “safer” plat­form to do my bank­ing and such on. Sec­ondly, I’ve started another class in my Master’s pro­gram at DePaul Uni­ver­sity, and it requires a linux sys­tem.  We’ll be learn­ing assem­bler from the programmer’s point of view; that is under­stand­ing what data struc­tures, con­trol state­ments, etc look like in assem­bler as well being able to take com­piled pro­grams and debug them at the assem­bler level to find/troubleshoot bugs.

I’ve also been spend­ing some time think­ing of ways to give to the secu­rity com­mu­nity.  One of my ways was recently men­tioned in a Secu­rity Cat­a­lyst Com­mu­nity forums post.  Basi­cally, cre­ate a matrix of secu­rity con­trols and com­mon imple­men­ta­tions cross ref­er­enc­ing them with all the dif­fer­ent secu­rity stan­dards out there. A per­son could for instance check all the con­trols they already have in place. The site would then list off the stan­dards they are already com­pli­ant with.  If they wanted, they could pick a stan­dard and it would list off both what they already have and what they are lack­ing. Not easy and not quick, but useful.

I’ve also been play­ing around with some type of more use­ful way to glean data from Check­Point fire­wall logs that have been exported to ASCII with the fwm log­ex­port –i <date> –o <date>.out –n –p –m raw com­mand. Specif­i­cally, I’m look­ing for ways to visu­ally make unusual activ­ity “jump” out at the ana­lyst. I’ve been able to cre­ate graphs of port usage over time, but haven’t got­ten the code into a state where com­par­i­sion against the stan­dard divi­a­tion is viable yet.  I also haven’t come up with a solid inter­face either.  Thus far its a hodge podge of perl scripts that can print graphs if STDOUT is redi­rected to a png file :) I’m debat­ing between open source, free soft­ware, web-based stuff and C# in a Win­dows App. The devel­oper in me wants to use C# since I’m very com­fort­able with the lan­guage, but the stu­dent in me wants to use perl, mysql, and php. Oh the choices!

Another inter­est­ing thing I’ve been mulling over is file carv­ing from libp­cap files. Often I find myself want­ing to grab a file that was sent over the net­work that I have a cap­ture of. I’ve been think­ing of 2 ways to solve this: (1) write my own parser for files as I need them or (2) con­tribute to the tcpx­tract project so that it works more accurately.

Well that’s my brain dump for now.  One of my goals is to use blog­ging as Richard Bejtlich has, and that’s as a per­sonal dump­ing ground to find thoughts, arti­cles, etc in case I need to refer back to them in the future. Let see how this works out!

Graphs in Perl

It wasn’t until recently that I started to really use perl for my tasks. But the more I use it, the more I find myself enjoy­ing it’s sim­ple ele­gance and easy meth­ods for trans­form­ing large com­plex sets of data into some­thing mean­ing­ful. When­ever I find my self needed to ana­lyze logs, I like to see them in the con­text of over time. This is far from the only way to visu­al­ize data, but it’s a basic one that I find use­ful time and time again. GD::Graph makes this task insanely easy.

All that’s required for a basic graph is a two-dimensional array. Essen­tially, an array con­tain­ing two other arrays; one for the X-Axis val­ues, and another for the Y-Axis. The lit­tle code below cre­ates my data array, and sets the width/height of a new graph object.

@data = (\@xvalues,\@yvalues);
my $graph = GD::Graph::area-&gt;new($width,$height);

Now all I need to do is plot the data on the graph object and extract a pic­ture from it.

my $image = $graph-&gt;plot(\@data) or die $graph-&gt;error;
print STDOUT $image-&gt;png;

And that’s it!  A very easy and straight for­ward method to get a sim­ple graph of some data.

Spam Analysis

The other day I received a piece of spam that sur­prised me. First, because I was sim­ply shocked that I got a piece of spam. I haven’t received a sin­gle piece of spam at that address in years! This led to my sec­ond obser­va­tion: the spam was sent to one per­son and car­bon copied to three oth­ers, all at the same domain name. Now that’s tricky! Here lots of spam­mers are try­ing to use PDFs or images to get their spam through, and this per­son just made it look like a typ­i­cal busi­ness email.

SPAM Message

If you both­ered to take a look at the image above, you noticed a link to www [dot] med123window [dot] org. Now I’m always up for an adven­ture, so I logged into my trusty *nix box and pulled the page down with wget. Using cat to look at the con­tents, I noticed that it con­tained noth­ing but a big encoded JavaScript. Take a look at it here.

The script would use the JavaScript func­tion unescape to turn the hex val­ues into ASCII and then pass that result on to the eval func­tion for it to be loaded and exe­cuted at run­time. Maybe it’s because I look at mal­ware all day, but is it just me, or is there no good rea­son for eval to exist?

I could have used a JavaScript based sand­box approach that would allow the code to be unescaped and dis­played in a textarea, but I’ve heard reports that some mali­cious code is wise to that attempt and can defeat it. So I went with a method they can’t defeat. It’s called perl. And it’s beautiful!

The method I used here was to take input off of STDIN, find all occur­rences of \x??, con­vert each to the cor­re­spond­ing ASCII value, and then finally parse that result for use of HTML encod­ing that uses hex in the form %??. Here’s the result­ing pro­gram.
(** Note: In both exam­ples above the ques­tion marks would be replaced with a hex value 0–9 or A-F)

Here’s the out­put after both rounds of con­ver­sion through my script.

Spam Analysis - Round 2

Thank­fully, this tries to load a page off of non-standard port 8088 which is blocked by default in my gen­eral egress rule set. It’s blocked in yours too, right?

If we use a machine that does have access to the port we can view this site by pro­vid­ing a fake sub­do­main match­ing the pat­tern the script above would use. When I saw it I was actu­ally fairly impressed. The design and lay­out was very well done, looked pro­fes­sional, and dare I say even bet­ter than some legit cor­po­rate web sites!

The main site: Spam Analysis - Main Site The Check-Out Cart: Spam Analysis - Check Out

Now here’s what’s always baf­fled me about these sites.…. They are sell­ing drugs, right? So why are peo­ple will­ing to pay large sums of money for drugs when they could get from their doc­tor for a co-pay if they really needed them? Also, who says this dealer can be trusted?! They are an annoy­mous web­site that uses shad­ing mar­ket­ing tac­tics to get peo­ple to their site. What’s to say that the check out isn’t just to col­lect credit card num­bers and never send you a sin­gle pill? Even more dire, what’s to stop them from putting arsenic in every pill? It’s not like they are reg­u­lated by the FDA.

* shrugs * I may not under­stand why peo­ple go to these sites, but I can at least accept that some­one must, oth­er­wise there wouldn’t be so much effort put into get­ting the adver­tise­ment out.

Simple UNIX Time Conversion

Often when inves­ti­gat­ing inci­dents, log files, file for­mats, etc I come across a Date and Time stored in UNIX for­mat. That is, the num­ber of sec­onds since Mid­night on Jan­u­ary 1st, 1970. The script is very straight for­ward and easy to use. Pass it the UNIX time on the com­mand line and it will out­put the time in a human read­able format.

The Script
convert_time.pl

Sam­ple Out­put
Convert Time Output