How to secure your Windows computer from malware

Most of us are actually using Windows computer in their daily tasks. However, some precaution must be made in order not to get mad after being infected by the nasty viruses.

• Always scan your USB drive.

-Sometimes your friend comes to your room and asked for your computer for casual stuffs -  surfing, finishing her work or sort of that. Make sure he scan her USB drive with an antivirus. You can easily find one, which is free, for example "Microsoft Security Essential" or "MSE"

• Do not download a suspicious attachment

-Somehow you might get an email from unknown people. If you happened to download the file, make sure you scan the file first - in order to reassure it is clean and pristine

• Use Linux

-Well, Windows virus is not compatible with Linux. Different architecture for real. This, for the case of normal executable file. Application based attack will not being discussed here. Linux is free, and I have been using it for almost 10 years without any virus infection.

Lastly, stay safe!

Basic Research Skills in CS

I found these two links, which really helps in directing your PhD research:

http://www.dcs.gla.ac.uk/~johnson/teaching/research_skills/basics.html
http://www.dcs.gla.ac.uk/~johnson/teaching/research_skills/research.html

Security talks at CERIAS, Purdue

I stumbled to this page and perhaps you guys interested to listen to these talks as well:

click

Chrome and Blackhole Exploit

A friend who just move to Blue Coat Inc had his article published in Threatpost. Seems changing an employer opened him to new opportunities too!

Chromium Exploited Again in HITB 2012

Siang tadi aku tgk scoreboard ada nama mamat ni.. masa tu belum confirm lagi. ni mcm dah confirm je dia dapat another USD60K. hebatlah

dari sini

For the second time this year, an anonymous teenage security researcher has succeeded in producing a full exploit, including a sandbox escape, against Google Chrome. The researcher, who uses the pseudonym PinkiePie, submitted his exploit Wednesday during the Pwnium contest run by Google at the Hack in the Box conference.

tadi ingat nak masuk PirateBay punya talk, tapi talk cancelled.

Pirate Bay founders Peter Sunde and Fredrik Neij suddenly and unexpectedly didn't show up for their eagerly-awaited presentation at the HiTB security conference in Kuala Lumpur, Malaysia this afternoon.
There is still no official word on the whereabouts or status of Sunde and Neij.
They were set to travel seperately, with Nelj coming to the conference via Thailand

Don't know what happened to them.

Malicious Software Coursera FREE class now online

Coursera previously initiated with few classes and now expands with many classes across different disciplines. Good to know, Dr Lorenzo Cavalero also started his class on Malicious Software which can simply being signed up here

Summary

"Malicious Software and its Underground Economy: Two Sides to Every Story
Lorenzo Cavallaro of Royal Holloway, University of London

Learn about traditional and mobile malware, the security threats they represent, state-of-the-art analysis and detection techniques, and the underground ecosystem that drives such a profitable but illegal business."

The class however will only start next Jun 2013.. that's almost 9 months to go! Enough to get a baby birthed.

Have fun!

From Springerlink, "Automatic Malware Analysis An Emulator Based Approach"

the book can be downloaded here (your organization need a subscription)

Value of Hacked PC - by Krebs

Krebs put this on his website. Thought it'll be useful to share it to you guys.

Kippo - MySQL 101

mysqd_safe --skip-grant-tables;
mysql -u root -p;
use mysql;
update user set password=PASSWORD("testpass") where User='root';
create database kippo;
use kippo;
grant all privileges on kippo.* to 'kippo'@'localhost' identified by 'secret';
flush privileges;


just my copy+paste script, useful for fresh installation

Snort MySQL error "database: must enter database name in configuration file#012"

in /etc/snort/database.conf, modify the line

output database: log, mysql

to

output database: log, mysql, user=snort password=<your pass> dbname=snort host=localhost 

My self note on Snort + MySQL on Ubuntu

Enable the root login first.

Stop the mysql service

Invoke :
mysqld_safe --skip-grant-tables &

Update password for root
use mysql;
update user set password=PASSWORD("testpass") where User='root';
flush privileges;

restart mysql normally

Snort:

create database snort;
use snort;
grant all privileges on snort.* to 'snort'@'localhost' identified by 'passwordbaru'
flush privileges;

Will be updated from time to time if needed


Should get this:


mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

Metasploit

I kinda like the SVN version of anything, of course, expect buggy riding when doing so. For example, what did you do with your metasploit?

My paper "Challenges in High Accuracy of Malware Detection" is available at IEEExplore

My paper which was presented last July 2012 is now available via IEEExplore. Get it here

e-majalah "The Hacker News" PERCUMA/GRATIS!

The Hacker News atau THN ada menyediakan majalah sekuriti secara percuma dalam bentuk elektronik (PDF). Boleh dimuat turun di sini

NSS 2013 CFP at Madrid

NSS 2013 CFP: here

NSS is an annual international conference covering research in network and system security. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of network security, privacy, applications security, and system security. Papers describing case studies, implementation experiences, and lessons learned are also encouraged. Topics of interest include but are not limited to:

- Active Defense Systems
- Adaptive Defense Systems
- Analysis, Benchmark of Security Systems
- Applied Cryptography
- Authentication
- Biometric Security
- Complex Systems Security
- Database and System Security
- Data Protection
- Data/System Integrity
- Distributed Access Control
- Distributed Attack Systems
- Denial-of-Service
- High Performance Network Virtualization
- High Performance Security Systems
- Hardware Security
- Identity Management
- Intelligent Defense Systems
- Insider Threats
- Intellectual Property Rights Protection
- Internet and Network Forensics
- Intrusion Detection and Prevention
- Key Distribution and Management
- Large-scale Attacks and Defense
- Malware
- Network Resiliency
- Network Security
- RFID Security and Privacy
- Security Architectures
- Security for Critical Infrastructures
- Security in P2P systems
- Security in Cloud and Grid Systems
- Security in E-Commerce
- Security in Pervasive/Ubiquitous Computing
- Security and Privacy in Smart Grid
- Security and Privacy in Wireless Networks
- Secure Mobile Agents and Mobile Code
- Security Policy
- Security Protocols
- Security Simulation and Tools
- Security Theory and Tools
- Standards and Assurance Methods
- Trusted Computing
- Trust Management
- World Wide Web Security

HITB 2012 Kuala Lumpur, Malaysia

HITB 2012 KUL will be held in the incoming October 2012! I already registered my name and hope to see you guys there!

More info here

avast: can not initialize avast! engine: Invalid argument

I was unable to use my Avast AV on Linux, so I stumbled here due to the similar error message.

The solution as given in the blog;

sysctl -w kernel.shmmax=100000000

It works for me! 

Windows malware detection on Linux host

My favoriate workstation is Linux, but I need to analyze Windows malware.
The are several options such as listed here

On Ubuntu for example, we can simply type

"sudo apt-get install clamav"

F-prot also provides a free Linux host antivirus to analyze Windows malware here

Spotting scam email

A friend asked whether an attachment that she got is trustworthy or not. Upon receiving, I could quickly conclude it is a scam, preying for greedy or needy people. However I notice it seems "localized" a bit, since my friend is a Malaysian, the scam email also use "Malaysia" in the content.

The sample of this "United Nation" scam email can be referred here, someone blogged it out

Kaspersky asking for top notch cryptographer to help them decrypting malware's encryption

Kaspersky, a well known Russian brand in antivirus industry is asking for people out there to decrypt a new malware with an encryption inside. If you have strong math background and able to help them out (ask them for $$$ as well!!), check it out!

source 1
source 2

This malware is thought to have a similar capability as what Stuxnet does - attacking specific platform on SCADA systems.

Scholar Updates: Making New Connections - Google Scholar Blog

I had created a profile on Google Scholar "My Citation" where you could publicly track other people's publications (I mean, your rockstar) as well as managing your own publications.

Here is my page

Most of that I tracked is on "malware" research area.

Here is the details of how you can create your own profile.Scholar Updates: Making New Connections - Google Scholar Blog

DNSSocial

A friend, Mr Amir Haris has spent hundred of hours developing a new concept of DNS tool, DNSsocial . You can use the service for your name server, sharing domain name with friends, signing your domain with DNSSEC and others.

As I am not an expert in your DNS.. kindly go to the website and see it for yourselves. Most of the service is automated and once your domain successfully propagated to the root servers, you will receive an email for notification.

This is my domain that already being registered with DNSsocial .. http://najmi.my

Blackhat US 2012 slides and papers

The recent reading/presentation of BH US 2012 can be downloaded here.

Malware Books

I recently ordered the following book:



and



Patiently waiting for my copies :)

MISTI 2012 CTF

yondie wrote a question for MISTI2012 CTF and published his solution for the question here

Computers infected with DNSChanger malware will be blocked from Internet beginning 9th July 2012

What is DNSChanger:
http://download.cnet.com/8301-2007_4-57467164-12/what-the-dnschanger-malware-is-and-why-you-should-care-faq/

From McAffee's FB:

Today is your last chance to check your computer to see if it is infected with the DNSChanger Trojan. If your computer is infected you are at risk of losing Internet access tomorrow. Check to see if you’re infected with the DNSChanger Trojan here: http://www.mcafee.com/dnscheck. If you’re infected you can download McAfee’s free tool, to restore your Internet settings.

http://blogs.mcafee.com/consumer/family-safety/on-july-9th-millions-may-lose-access-to-internet

Check if you're affected:

http://www.mcafee.com/dnscheck

FBI also issued a whitepaper on this:
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Malware Similarities Detection Via Visualization

A UCSB researcher has came up with an idea to detect the similarities of malware binaries by using visualization of malware. By comparing the pattern of the similarities, a research could save some time analyzing the a new malware by the existing, stored pattern. You can check the project and upload your sample here

Ping

a billingsgate knows exactly how it wants it

Computer Security Journal Rankings

I forgot to jot down the conference/publication rankings once I stumbled upon them.

This is one (this is running list. will be updated from time to time, insya Allah)

here

Flamer malware

Mila already shared in her malware repositories several samples of the infamous "Flame" malware

Get it here and start analyzing!

Fred Cohen's PhD Thesis

Dr Fred Cohen's doctoral thesis is considered the first and seminal paper in computer virus/malware research. I already mirrored his link so basically you can get it here

My UKSIM paper in CSDL

The paper that I presented in Cambridge is now appear in CSDL index. You can read the complete paper here

However as common as other paper indexed by CSDL, you or your institution need to have access to that online database.

Ulasan Buku "Practical Malware Analysis"

Saya sedang membaca buku "Practical Malware Analysis" . Buku ini diterbitkan oleh penerbit buku "geek" yang terkenal, "NoStarchPress" . Penyampaian buku ini adalah teknikal dan bersahaja. Kedua-dua pengarang bekerja di Mandiant, sebuah syarikat keselamatan komputer.

Sekiranya anda berminat dengan bidang analisis malware, saya menyarankan anda miliki buku ini sebagai pelaburan.

Buku ini bagi saya memerlukan latar belakang "intermediate" memandangkan anda perlu tahu asas sistem operasi, network dan Windows. Ia memfokuskan kepada "windows binaries" dan sekiranya anda berminat dengan mobile malware, ada buku lain yang lebih sesuai.  Fokus analisis dimulakan dengan asas analisis statik dan dinamik, kemudian ke peringkat statik dan dinamik lanjutan.

Rating saya, 4.5/5

Kurang 0.5 sebab tiada DVD disertakan untuk hands-on lab pada setiap akhir bab.

Ancaman Scam - Antara Kemajuan Teknologi dan Kejahilan Manusia

Selalu terbaca di dada akhbar berita berkaitan penipuan di Internet yang melibatkan jumlah kerugian yang besar. Kerapkali kita dapati mangsa penipuan adalah wanita yang kesunyian ataupun warga emas.

 

Penipuan seperti ini, yang dikenali sebagai Scam, merupakan satu rangkaian penipuan antarabangsa. Selalunya, jika mangsa ialah wanita, orang yang mendekati itu akan menggunakan profil palsu, dengan gambar profil yang didapati dari antah berantah (mungkin juga rakan kongsi). Individu mana tak cair bila tengok dapat bakal buah hati mat saleh! Akhirnya jerat mengena, dan mangsa penipuan akan mengalami trauma baik dari segi perasaan mahupun wang.

Kemudiannya, penipuan menggunakan "mule" ataupun "keldai" . Ini kita akan selalu lihat dewasa ini di mana email dalam Bahasa Melayu dialamatkan kepada mangsa secara rambang/terpilih di dalam region tertentu. Modus operandi - pelaburan di luar negara, harta tinggalan pemimpin perang yang tersembunyi, pewarisan harta bernilai jutaan ringgit oleh suami si janda dan bermacam lagi taktik untuk menjerat mereka yang kesempitan wang ataupun tamak.

Ada satu laman anti scam, yang dinamakan "Artist Against 419", di mana 419 ini adalah akta untuk menangani masalah berkaitan Scammer ini. Pembaca boleh merujuk maklumat lanjut mengenai Nigerian Scam di laman berkenaan.

Done with UKSIM, now concentrate on the journal!

Alhamdulillah, I presented my work at UKSIM, and later the same slides was "recycled" for an informal group session at the Computer Laboratory(CL), William Gates Building. Among the persons that I noticed in the CL session was the person in charge (Wei), Rubin and Richard Clayton. (I also noticed a white bearded guy.. I think this professor) I was a little hesitate at first to go there since it is Cambridge, the top university in the world, while my work could be regarded as "premature". Nevertheless since it's informal, and Wei seems interested to see the talk so I took a bus from the nearest bus stop at the hotel and stop at the West Cambridge. A friend, Aeffendi Hashim is also working on his PhD at a building behind the William Gates' building, CAPE. 

Nice experience, especially in the Q & A where I felt like "grilled". But of course, I took the challenge, hope it worth, and helps me shape up my research works.

mwserv support in mwcollectd, dionaea and perhaps some other honeypots

For some reasons, the configuration of mwserv in say, dionaea is perhaps among the mysterious question that I could find when I want to know the info.

Few years ago, I registered my honeypot as a "freelance" at Mwcollect Alliance. Here, the maintainer (from Giraffe Honeynet - Germany based honeynet chapter) needs you to contribute back. In my case, I turned on the mwserv config in my honeypot.

In dionaea.conf (or any honeypot that you have, let say, mwcollectd), you need to uncomment mwserv in the ihandlers section:

        ihandlers = {

            handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload",

            "logsql",

            "virustotal",

            "mwserv",

//            "submit_http",

//            "logxmpp",

            "nfq",

//            "p0f",

//            "surfids",

//            "fail2ban"

            ]
        }

Next, once your registration approved in mwcollect alliance, you will be able to create your honeypot sensors.

      mwserv = {                      // ask your mwserv backend provider for needed values

                        url = "https://mwserv.mwcollect.org/"           // the url to send the submission requests to

                        maintainer = ""     // username of the maintainer of this sensor

                        guid = ""               // guid of this sensor, as generated serverside; typically 8 chars

                        secret = ""

        // shared secret used for authentication aka password; typically 48 chars

                }

Perhaps, people hard to find the url for mwserv, so as for last few years, it always been "https://mwserv.mwcollect.org/" .. this couldn't be find anywhere as far as I know, unless you hang out in #nepenthes channel at irc.freenode.net

You can filter the verbose output once your start you dionaea sensor:

dionaea -l all,-debug -L 'mwserv'

Output:

[01032012 08:24:41] mwserv dionaea/mwserv.py:77: mwserv _heartbeat
[01032012 08:24:45] mwserv dionaea/mwserv.py:166: mwserv heartbeatresult: b'OK: 120'
[01032012 08:26:41] mwserv dionaea/mwserv.py:77: mwserv _heartbeat
[01032012 08:26:47] mwserv dionaea/mwserv.py:166: mwserv heartbeatresult: b'OK: 120'
[01032012 08:28:41] mwserv dionaea/mwserv.py:77: mwserv _heartbeat
[01032012 08:28:47] mwserv dionaea/mwserv.py:166: mwserv heartbeatresult: b'OK: 120'
[01032012 08:30:41] mwserv dionaea/mwserv.py:77: mwserv _heartbeat
[01032012 08:30:48] mwserv dionaea/mwserv.py:166: mwserv heartbeatresult: b'OK: 120'
[01032012 08:32:41] mwserv dionaea/mwserv.py:77: mwserv _heartbeat
[01032012 08:32:46] mwserv dionaea/mwserv.py:166: mwserv heartbeatresult: b'OK: 120'
[01032012 08:34:41] mwserv dionaea/mwserv.py:77: mwserv _heartbeat

"Data Mining Tools for Malware Detection" book

I recently bought this fresh, new book on the application of Data Mining for malware detection.

I bought it on-line from UK as it is not available yet in Malaysia. Perhaps you can try the following method to get the book:

Amazon
CRC Press

Paper accepted at UKSIM 2012, Cambridge, UK

My paper was submitted at UKSIM 2012, Cambridge, UK and was accepted
To quote, use to following BibTeX:

@INPROCEEDINGS{Ahma1203:Malware,
AUTHOR="Muhammad Najmi {Ahmad Zabidi}",
TITLE="Malware Analysis with Multiple Features",
BOOKTITLE="UKSim 14th International Conference on Computer Modelling and Simulation,
UKSim2012 (UKSim2012)",
ADDRESS="Cambridge, United Kingdom",
DAYS=28,
MONTH=mar,
YEAR=2012,
KEYWORDS="malware, static analysis, feature selection",
ABSTRACT="Malware analysis process is being categorized into static analysis and
dynamic analysis. Both static and dynamic analysis have their own strengths
and weaknesses. In this paper, we present a tool written in Python
programming language called as pi-ngaji, which could assist the work of
malware analyst to get the static features of malware. pi-ngaji contains
several modules - Application Programming Interface (API) calls extractor,
binary entropy information, anti virtual machine and anti debugger detector
and XOR encrypted strings decryptor. pi-ngaji was developed in order to
assist our work in getting malware features. pi-ngaji is focusing on
ripping Microsoft Windows executable binaries' malicious features."
}

Buku

Ni le bukunya...

Baucer ada baki, top up sikit beli kertas

Sebagai seorang pelajar saya menerima baucer buku 1 malaysia berjumlah rm200 yang saya telah manfaatkan untuk membeli sebuah buku berkaitan penyelidikan saya. Buku tersebut adalah mahal, jadi dengan baucer itu saya hanya memperoleh buku berkenaan sahaja.

Published with Blogger-droid v2.0.4

Virus mengubah DNS

Krebs, seorang jurnalist di dalam bidang keselamatan komputer mengupas sejenis malware yang mengubah alamat DNS - Domain Name System. Malware ini mampu menyah-aktifkan perisian anti virus dan menyebabkan sistem sasaran tidak boleh mengemaskini sistem operasi Microsoft mereka.

Nama malware, DNSChanger

sumber

New published paper - 2011

I presented my paper in 7th IAS 2011 conference in Melaka last December 2011. The paper now already appears in IEEExplore. Get it here

Since I already transfer my copyright to them, you have to get (paid) access to the paper. If your organization subscribe for them, you'll be able to access the paper.

Most universities have access to IEEExplore, should not be a problem.

To cite my paper, use the following BibTex entry

@INPROCEEDINGS{6122799,
author={Zabidi, Muhammad Najmi Ahmad and Maarof, Mohd Aizaini and Zainal, Anazida},
booktitle={Information Assurance and Security (IAS), 2011 7th International Conference on},
title={Ensemble based categorization and adaptive model for malware detection},
year={2011},
month={dec.},
volume={},
number={},
pages={80 -85},
keywords={},
doi={10.1109/ISIAS.2011.6122799},
ISSN={},}