I found this executable A0000623.sys with 6 detections on VirusTotal. Are these false positives or true positives?
The file was found in the _restore system folder. It looks like it is a Windows system file (tcp.sys), but maybe it is infected. It has no digital signature.
With the help of Google, I was able to trace it back to MS05-019: WindowsXP-KB893066-x86-ENU.exe. But unfortunately, WindowsXP-KB893066-x86-ENU.exe can no longer be downloaded from Microsoft’s site, as they published a new release for this patch: WindowsXP-KB893066-v2-x86-ENU.exe.
Fortunately, I found another file in this _restore folder: A0000615.cat. This is a catalog file that Microsoft uses to sign Windows executables. With Sysinternals’ sigcheck tool and this catalog file, I was able to confirm that this is a signed Windows executable and conclude that the detections are false positives.
I will release a new version of my AnalyzePESig tool that accepts an optional catalog file.
I finally compiled a list of the software I published. You can find it under My Software.
First comes an overview, and then for each software, all the versions you can download with links to the blogposts where they are mentioned.
I’m taking SANS’ “SEC503 Intrusion Detection In-Depth” class here in Brussels.
One of the exercises consisted of extracting the passwords from a capture file of a FTP password dictionary attack.
I was at an advantage for this exercise ;-) I have a Lua script for Wireshark that extracts credentials (HTTP and FTP in this release).
Notice that some entries have no username. A closer look at the capture file with Wireshark revealed missing segments (with the USER admin FTP command).
I produced a new video: a simple howto for users who don’t know how to use Windows explorer’s properties dialog to check a digital signature.
Later in the video, it gets a bit more technical by using tools (AnalyzePESig and sigcheck) to check signatures.
UltraEdit is my text editor on Windows. I developed a couple of simple scripts that I’m going to release.
The first one is SubstituteEachLine.js.
I run this script when I need to transform each line into another form. Take this example where I want to create a Python dictionary with these words:
I start my script and type this template (%% is the placeholder for each original line in the document):
The script replaces each line in the document like this:
I also often use this in a command-line environment with a limited shell. For example, to rename a bunch of files in “DOS”, I put the list of filenames in a text document and then run my script: “ren %% %%.old”. As shown in this example, you can use the placeholder (%%) more than once in the template. But you can’t escape the placeholder string.
PS: you can also use regex search and replace to do this, but there are cases were I prefer my script.
This update to my Prefetch File 010 Template adds Sections A through D.
There is extra error handling in this new version.
virustotal-search and virustotal-submit have their own page now: VirusTotal Tools.
In 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating it.
This year I reported on some installer programs using this padding trick.
With MS13-098, Microsoft releases a patch to prevent this signature padding trick. This change in behavior will become active June 10th 2014.
But you can already activate it now by setting reg_sz key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck to “1″.
Here is the effect illustrated with my AnalyzePESig tool:
But beware of a potential issue with this regkey. Setting it to “0″ will not revert to the old behavior (tested in VM with Windows XP SP3).
I had to deleted the key (actually, I renamed it) and reboot to revert to the old behavior. I informed Microsoft.
This is an important update to virustotal-search.py.
Rereading the VT API, I noticed I missed the fact that the search query accepts up to 4 search terms.
This new version submits 4 hashes at a time, making it up to 4 times faster than previous versions.
A quick tip: since more than a year now I’ve been including xml output with each nmap scan I perform. I discovered that the xml output contains more (explicit) data than the other forms of output.
nmap -oG test.csv -oX test.xml scanme.nmap.org
Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-23 05:05 EST
Nmap scan report for scanme.nmap.org (126.96.36.199)
Host is up (0.65s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
The grepable output:
The xml output: