Thursday, February 25, 2010

Packet Fun

Last week I started playing with NetWitness Investigator, a threat analysis app that makes it very easy to sort and drill down into packets when doing analysis. There's a freeware version (limited to 1 Gb pcaps in the demo and to local collections only). You can download it here. NetWitness runs on Windows or Linux, but the Linux version is in the commercial version only.

So today I took a look at Mu Dynamics xtractor, a cloud app with similar capabilities. Their demo movie takes to task a forensics challenge asking you to answer 8 questions about Ann's online activities. It's quite nifty. The movie is here, as well as a download link. xtractor runs on Linux distros and starts a Web server. Just point your browser at it. They do say Chrome or FireFox work well; IE not so much...

Thursday, February 11, 2010

Aurora Disinfect Tool

HB Gary, one of the companies working on the forensics of the Aurora attacks against Google, Adobe and others, has released what they call an "inoculation shot" for Aurora. It's a free scan and remove tool for the malware. The tool can be found on their site here. There's a good write up on the investigation to date on Dark Reading, found here.

Monday, February 8, 2010

Packet Captures

If you're looking for packet captures to sharpen your analytical skills, the folks behind Wireshark have a nice site, found at

You'll find captures with all sorts of protocols (over 60) from the mundane to the esoteric (how about a capture of a line of text using STANAG 5066 (S5066))?

There are lots of sites with packet captures of malicious traffic or war games traffic, but it's also always helpful to keep increasing your knowledge of normal traffic too. As the instructors say, if you don't know what normal looks like, how will you recognize the anomaly?

Oh and if you need some sites with challenge or war games type captures, here's a couple I've come across..

Trojaned Mozilla Plugins

If you use either Sothink Web Video Downloader 4.0 or Master Filer add-ons in Firefox for Windows, both have been found to contain Trojans. Details at the Download Blog post found here.
This raises the topic again of how you verify safety of all the gadgets and gizmo's you install? This is especially an issue with automated updates and installs via the Web browser, like these Firefox add-ons.
The vast majority of end users trust almost everything they come across and click without giving it a thought, despite all the efforts at end-user education, so how do we protect folks against themselves on the Internet.
Even if you manually download every app, checksum it, and run multiple scanners against it, we know it's still possible to get burned, so how do find a way to protect folks who are willing to click on any link they come across? Or teach them that just because the site is "good" isn't a guarantee some Bad Guys haven't compromised the site and injected malicious code via a script, or a Flash ad, or replaced a good version of a file with a piece of malware?

Monday, February 1, 2010

UDP scanning with NMAP

Fyodor has made a major improvement to UDP scanning in the latest release of nmap. Rather than regurgitate the entire write up by Rob Vanderbrink on the Internet Storm Center, found here, let me summarize by saying Fyodor has changed nmap's operation for certain UDP services. nmap will now actually connect to that service and therefore verify the port is open, and that the service is actually running. If you don't know why this was an issue in the past (and still is for any services not included in the new nmap), read Rob's diary entry. He does a great job of simplifying the explanation.
As always. the latest version of nmap can be found at Fyodor's site found here.

Blog Archive